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dom number generators until they were proved to be 

MACHINE GENERATION OF CRYPTOGRAPHIC insecure. 

KEYS BY NON-LINEAR PROCESSES SIMILAR TO The degree of non-linearity required to make 

PROCESSES NORMALLY ASSOCIATED WITH key cipher systems cryptographically secure is cur- 

ENCRYPTION OF DATA 5 rently an open question. A recent approach to the gen- 
eration of random numbers for purposes of cryptogra- 

RELATION TO THE RELATED PATENT pny is to exploit some mathematically intractable prob- 

APPLICATIONS lem from number theory in order to gain cryptographic 

The present patent application is related to U.S. pa- security, and considerable progress has been made with 

tent application Ser. No. 07/388,331, now abandoned, 10 respect to the efficiency of certain methods of random 

filed Aug. 1, 1989 for an ELECTROMAGNETIC TO number generation. However, until complexity theory 

PHYSICAL LOCK to the selfsame inventor of the can show decisively that these mathematical problems 

present application. The contents of the related patent on which the number generators are based are indeed 

application are incorporated herein by reference. intractable, a certain wariness will remain. 

xj a furnny tmt^ fxxz tot twcntthw 15 The present invention will be seen to be concerned 

BACKGROUND OF THE INVENTION ^ ^ gencration of largC( very _ largC| ^ indefinite. 

1. Field of the Invention ly-large cryptographic keys as suit large key crypto- 
The present invention generally concerns cryptology graphic systems including, notably but not by way of 

and cryptographic machines, and particularly concerns limitation, the one time pad. The way by which these 

machines for generating cryptographic keys of indeter- 20 largc crvp tographic keys are derived will be seen to be 

mmately long length. analogous to cryptographic processes themselves. 

2. Description of the Prior Art One analogous class of ciphers that are of special 
2.1 Background to the Present Invention in a Nutshell interest to the present invention is the transposition 
The art of secret writing is very ancient, and many block dpher The transposition block cipher is perform. 

different ^systems have been used throughout history. 23 able by p^cy ^ paper> ^ well ^ by faster meam such 

One of the oldest known ciphers is the Spartan scytale: ^ m a transposition block cipher a message 

a transposition cipher based on winding a narrow rib- h decomposed by letters into fixed length sequences 

bon of parchment spirally around a cyhndncd staff ^ ^ nccs ^^^y uscd as the rows in 

with tfje message then written on the parchment. The a NxM matrU block . A cryp togram is formed by tak- 

early Greeks used substitution of numerals for letters in 30 the 3rd column starting from 

some of their systems, while the Romans favored the ' 7 „ "TT* y ' " , " , um 

substitution of one letter for another in the form of the ^J^^T^ *f ltUm ^l^^lT* 

Caesar cipher starting from the bottom, and so on, with this path taken 

While transposition ciphers seem to have disappeared ***** th . e ^y. Many different "flavors" of columnar 

from use until relatively recently, substitution ciphers 35 tr ™?^J ?£ ers were devised mcludmg the so- 

continued to evolve in many different ways. With the ^P™*?*™ on ™ ™* ***** Gennan 

invention of the printing press, many types of "book A™* J** ADFGVX system also utilized substitution, 

ciphers" were devised wherein some book was chosen ^ ° rd f 10 P««« invention, it will be seen 

as the key for the substitutions. Of course, the entire that © the technologically obsolete notion of a small 

book could be viewed as one long key; thus was born 40 ke V * discarded, and then (u) the same ingenuity that 

the running key cipher. The running key cipher can be Gilbert Vernara used is applied. Namely, or in other 

improved dramatically by using a book of random let- word& » il wU! seen ^ present invention calls for 

ters, i.e. an incoherent key. the application of a bitwise transposition to a large inco- 

TTiese ideas finally crystallized in the Vernam cipher ne rent key to generate a keystream (subsequently usable 
where a message is bitwise XORed with a random key. 45 for diverse cryptographic processes in the encryption/- 
Army cryptologist Major Joseph Mauborgne then sug- decryption of data). The bitwise transposition will be 
gested that the key be used only once, and thus was seen to include (i) substitution through selected XOR- 
born the mother of all secret key ciphers, the one-time m S s of the "columns", and/or (ii) annihilation through 
pad. Subsequently, both William Friedman and Mau- skipping some of the "rows" in each "column", and/or 
borgne arrived at the conclusion that a secure system 50 a method of multiplexing the columns. Finally, as 
can be achieved only if an incoherent key is used whose still another essential idea of the present invention, it 
length is at least as long as the message. The theoretical will be seen that this bitwise transposition is "amor- 
foundation was then laid by C.E. Shannon with the idea phous", meaning that, complex as the transposition may 
of equivocation to provide perfect secrecy. The bad be in its substitutions and/or annihilations and/or muti- 
news was that perfection requires a key as long as the 55 plexing, it is (normally) repetitively recursively per- 
message. formed each time in a different way. 

The generation, distribution, and storage problems Cryptoanalysis of the amorphous transposition pro- 
associated with the one-time pad has heretofore made cesses gives rise to a mechanical correlation problem, 
this system impractical for most applications, so the The intractable nature of this problem appears likely to 
development of small key systems continued. One de- 60 be provable. Even if no proof of the cryptographic 
velopment was that of block ciphers following Shan- security of one or more of the amorphous transposition 
non*s suggestion of using a "mixing transformation" processes of the present invention is forthcoming, the 
implemented by applying several rounds of transpose apparent intractability of these amorphous processes are 
tions and substitutions to "diffuse" and "confuse" the arguably more attractive than any competing cryptol- 
statistics of the message. 65 ogy systems having a supposed intractability of cryp* 

Another development was the keystream ciphers toanalysis based on number theory because the latter 

based on pseudo random number generators. There was systems have an undesirable profundity inherent in their 

temporary interest in using linear shift registers as ran- fundamental objects such as the factoring problem. This 
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profundity is continually being revealed as further that if a pseudo random sequence of bits representing a 
mathematical research finds new structures which pro- key is contracted via permutations then the resulting 
vide means for realizing better algorithms to these prob- "cipher text" is really a new, secure, key. 
lcms. Applicant will also be seen to teach the use of a per- 

The bitwise transposition processes in accordance 5 mutation called an "expanding amorphous process". At 
with the present invention, on the other hand, will be least some particular forms of expanding amorphous 
seen to be, quite intuitively, shapeless— hence the de- processes are known, as would be expected because of 
scription "amorphous". The mathematical functions) the simplicity of these forms. One early type of an ex- 
defined by such an amorphous processes) will be seen panding amorphous process is a class of transposition 
to be so random that the prospects of finding any deep, 10 ciphers in which the message is written in matrix form 
anaJyzable, structures in the general amorphous me- Getter by letter) with the cryptogram formed by taking 
thod(s) of the present invention appears to be quite some path through the matrix to define the letters of the 
remote. cryptogram. The path taken together with the dimen- 

2.2 Particular Prior Art Cryptography Relevant to sions of the matrix comprise the cryptographic key of 
the Present Invention 15 these systems. Other shapes besides rectangles, e.g. 

The present invention does not directly concern the triangles, were also used, as well as blocking out certain 
encryption or decryption of data. Instead, it concerns squares in the template (the irregular columnar cipher), 
the generation of generally long cryptographic keys These ciphers were originally performed with pencil 
that are usable by diverse cryptographic processes, and paper so the paths were fairly simple. In one corn- 
including the one time pad. 20 mon version, the path went column by column, with the 

However, the present invention will be seen to call columns permutated, with the letters from the individ- 
for the manipulation of a cryptographic key in a like ual columns taken starting from the top, or starting from 
manner, and by like processes, that former crypto- the bottom, or starting from the top and bottom alter- 
graphic methods and systems were wont to manipulate nately. 

(eg., encrypt or decrypt) data. Since they key manipu- 25 These columnar ciphers will be seen to be similar to 
Lation methods of the present invention are (deemed by the generalized expanding amorphous processes of the 
the Applicant to be) well considered as regards their present invention. However, the present invention will 
preservation (and, indeed, even their inducement) of be seen not only to extend the application of expanding 
randomness, and amorphousness, in the data sets (i.e., amorphous processes (i.e., to keys as opposed to data), 
the seed keys) to which they are applied, it will be no 30 but to add some new "twists". The present invention 
surprise that these manipulation methods have a certain will be seen to teach each of (i) permuting a matrix of 
correspondence with, and antecedents within, the random bits in a feedback mode, (ii) logically comple- 
known methods of cryptography. In some cases the menting some bits and then multiplexing the "columns" 
preferred methods, and machines, of the present inven- via a holdback scheme, and (tti) an amorphous process 
tion will be seen to constitute variations— arguably even 35 called "dispersed partitioning", 
improvements— to certain prior art cryptographic 2.5 State Machines Are Known to be Used in Cryp- 
methods of the order of amorphous transforms. Ac- tography 

cordingly, understanding certain particular ones of Still furthermore, the present invention will be seen 
these prior art cryptographic methods will prove useful to employ, in one of its embodiments, a state machine, 
to placing the present invention in context. 40 Use of at least some parts of a state machine in keys- 

2.3 It is Known to Use oftheXOR Function in Cryp- tream generation is known. Specifically, the idea of 
tography using a machine index to select a function is discussed in 

The present invention will be seen to perform the C.E. Shannon's paper "Communication Theory of Se- 
exclusive or, or XOR, function on the bits of a set. The crecy Systems", Bell System Technical Journal, Vol. 
basic idea of using an incoherent keystream to perform 45 28, 1949, pages 656-715. Shannon analyzed ways to 
the XOR function on a message dates to the Vemam combine cipher systems, one basic way being to form a 
cipher of 1918. weighted sum consisting of a plurality of different en- 

2.4 Certain Types of Random Permutations Are coding transformations with each transformation as- 
Known to be Used in Cryptography signed a probability of being chosen for use to encode a 

The present invention will also be seen to teach the 50 particular message. From a conceptual standpoint, Ap- 
manipulation of the bits of a set by (essentially) random plicant's state machine method could be interpreted as a 
permutations. The use of random permutations in en- weighted sum of random number generators with a 
coding is known. Permutations have been used in voice machine index (to be explained in this specification) 
scrambling systems in both the time and frequency do- selecting a function (to be explained). However, Appli- 
mains. F. Ayoub appears, in his article "Encryption 55 cant's "function" will be seen to be dynamically rede- 
with keyed random permutations", Electronic Letters, fined at each transition: since the state variables are also 
Vol 17, 1981, pages 583-585, to have been first to sug- used to define this function. Furthermore, Applicant's 
gest using random permutations for digital data. Ayoub approach in generating a "garbage index" in order to 
applied an optimal permutation algorithm to minimize define a state transition function will deserve careful 
the key bits required. Ayoub notes that this method 60 consideration when later discussed, 
would be useful in substitution-permutation (SP>type As an aside, it may be understood that Shannon's 
encryption systems. paper is chiefly of theoretical interest dealing in entropy 

Ayoub shows, at least implicitly, one part of what and equivocation. In the course of presenting his theory 
Applicant will call a "contracting amorphous process", Shannon did point out some things which could be 
although Ayoub appears to have only understood per- 65 applied to build a secrecy system, but his paper did not 
mutations in the sense of using such during the encoding really present any new systems, and to this extent does 
of data. Ayoub does not seem to view his permutations not relate to Applicant's invention. However, one inter- 
as amorphous contraction, i.e. to make the observation esting point that Shannon made was that even a very 
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simple encryption system could be used if the message However, linear congruential generators can be pa- 
was first transformed to eliminate all of its redundan- rameterized to produce random numbers. If anon-linear 
cies. Unfortunately, such a transformation is in practice component is used, a secure sequence results. Here the 
extremely difficult, if not impossible, because of the equation takes the form x 2 mod N (where N is the prod- 
complexity inherent in natural languages, 3 uct of two distinct primes each congruent to 3 mod 4, 

2.6 Certain Types of Random Number Generators and xo is the quadratic residue mod N) and this is used to 

Are Known to be Used in Cryptography generate the sequence xo, xi. x 2> . . . from which the bit 

Applicant's method and machine performs random sequence bo, bi, bj, . . . where b/= parity (x/) is formed, 

number generation. There are several prominent ap- Messrs. L Blum M. Blum, and M. Snub show in their 

preaches to random number generation (to form a keys- 10 paper ''A Simple Secure Pseudo-Random Nuni^r Gen- 

£eam) that have been taken over the years that are erator" SIAM Journal of ^^<^"* 

worth mentioning. Linear shift registers have been tbor- 364-383 (the main result goes back to .about ^198^ bu 

oughly researched. Simple designs exist which have many years passed before their paper was published) 

process of mverong a matru formed from this ^nter- ™»« typic^iy around several hundred bits, 

cepted" portion. The use of non-bnear feedback for Blum's open question of whether more than a single bit 
shift registers complicates the situation, but the security ^ ^ was by ^ Umesh 

of such systems is somewhat dubious. y Vazirani md vijay v . Vazirani in "Efficient and 

Shannon suggests employing a mixing transforma- SccufC jp^^j^^ Number Generation", 25th 
tion" to "diffuse and confuse" the statistics of a mes- s ium on Foundations of Computer Sci- 

sage. Applicant's (encryption) of messages (at least en ce, IEEE Computer Society, Oct 24-26, 1984, pages 
directly), but rather of keys. However, Applicant s 2J 458 ^ 63 ^ VaziranTs found a way to emit log n bits 
invention will perform something that could, at least per multiplication, and their basic proof can be extended 
broadly and generically, be called a "mixing transfer- £ 0 ^ €mxAmsyt 

mation". Since most any modern digital circuitry can Thenj ^ 198g) Micali ^ Schnorr came up with a 
^ow" a lot a bits around, thereby performing the system based on the expression x* mod N, with their 
"mixing" with great vigor, it is useful to understand just 3Q system about ^ efficient as the simple linear congruen- 
how poorly "mixing transformations" have been imple- tia] generators. Reference S. Micali and CP. Schnorr, 
mented in the past in order to better assess whether the "Efficient, Perfect Random Number Generators", Lec- 
particular "mixing transformations" taught by Appli- toe Notes in Computer Science, Vol. 403, Advances in 
cant within this specification (even though applied to Cryptology: Proceedings of CRYPTO 88, Springer- 
keys) have cryptographic merit. 35 Verlag, 1989, pages 173-198. The "proofs" for the secu- 
European patent number 0035048 shows, in some nty of these generators are based on certain complexity 
sense, an early non-linear shift register system. The assumptions. Consequently, if tomorrow a good algo- 
system is an odd hybrid, comprised of block cipher type rithm for factoring is found, the security of these sys- 
"non-affine transformations" in the form of "S" boxes tcms w ui be invalidated. The continuing research seems 
(i.e. substitution tables), strangely, feedback from the 40 t0 indicate that the present assumptions are pretty good, 
message which is used to transform the key matrix. It's w i tn the evidence mounting in favor of the security of 
inventor, IBM's Horst Feistel, had in 1973 developed a these systems, but a proof as such has remained elusive 
well known block cipher named, of all things, LUCI- m & may never be found. 

FER. The banality of LUCIFER soon became apparent Implementing Micali-Schnorr's generator with a 
with this system duly broken. But its basic structure has 45 modulus of 224 bits yields 96 bits per multiplication, 
been retained, and in fact, this structure was originally This about matches the efficiency of an contracting 
due to Shannon's suggestion of employing a 4 *mixing amorphous process using a 128-bit frame feed by using 
transformation" to "diffuse and confuse" the statistics of the upper 16-bits of a 32-bit linear congruential genera- 
a message. tor. The Micali-Schnorr system is probably readily 

Continuing with the block cipher approach to a *inix- 50 scalable for trade-offs between security and efficiency, 
ing transformation" to "diffuse and confuse", IBM was and so may thus be superior to Applicant's system — not 
the main force behind the development of circuits to mention that Applicant's random number generator 
(chips) to perform block ciphers. IBM waived its many is only conjectured to be random, 
patent claims for the particular block cipher derivative Yet another idea pertaining to random number gener- 
later called the "Data Encryption Standard", or DES. 55 ation is that of composite generators in which the out- 
DES became the world's first encryption standard puts of several generators are added together, say, to 
around 1978, recently losing its certification in 1986. form a secure keystream. Statistically this appears to be 

Linear congruential generators are another recent a good idea, although composite generators have not 
development. A proper choice of parameters for the been cryptoanalyzed to Applicant's knowledge. Refer- 
equation x/-f l=(a*x,-f b) mod N yields good random 60 ence M. Brown and H. Solomon, "On combining pseu- 
number generators. The Applicant chose this generator dorandom number generators", Ann. Statistics, Vol. 7, 
as a reasonable "seeding source" as will be seen. How- 1979, pages 691-695. Linear shift registers have also 
ever, the numbers produced are not secure. Reference multiplexed together in various ways to form compos- 
A.M. Frieze, R. Kannan, and J.C. Lagarias, "Linear ites, eg. with one generator used to select the output bit 
Congruential Generators do not produce Random Se- 65 from another generator. 

quences", 25th Annual Symposium on Foundations of In 1973, the linear shift register generator using char- 
Computer Science, IEEE Computer Society, Oct. acteristic function x 607 -^ 334 -*- 1 was shown to have 
24-26, 1984, pages 480-484. "equidistribution and multidimensional uniformity 
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properties vastly in excess of anything that has yet been be found in S. Even, "Algorithmic Combinatorics", 
shown for conventional congruentially generated se- Macmillan, 1973. Minimal selector size results when 
quences". Reference J.P.R Tootill and W.D. Robinson only the Vs bits of the data are "permutated" by consid. 
and D J.Eagle, "An asymptotically random Tausworth ering only the combinations thereof, at the cost of in- 
Sequence", Journal of the Association for Computing 5 creased computational complexity. 
Machinery, Vol. 20, 1973, pages 469-481. This genera- As a compromise between complexity and selector 
tor has an astronomic period of 2 607 - 1. The output is size, the Applicant has devised a new method based on 
extracted from the full bitstream 23 bits at a time, and "hashed division" which generates nearly uniform per- 
then skipping 489 bits, then repeating. The upshot of mutations with only a slightly larger permutation selec- 
this is what Applicant calls "contraction", and goes 10 tor than the "division" method, while eliminating the 
back to 1965 when Tausworth first used a LSR as a need for multiplication and division, 
generator. Although such jettisoning of bits does falls SUMMARY OF THE INVENTION 

under the broad category of contraction, a more narrow 

view of contraction, in particular what the Applicant The present invention contemplates the machine gen- 
calls "amorphous contraction", requires an "amor- 15 eration of cryptographic keys by non-linear, combinato- 
phous" processing which reduces a set of bits to a rial, processes similar to processes that are normally 
smaller set in an often simple, but functional, manner. associated with encryption of data. 

The keystreams delivered by Applicant's invention 1. The Utility of Amorphous Processes for Keys- 
will be seen to suitably be used as secret encryption tream Generation 

keys, and are thus unsuitable for public key encryption. 20 The present invention deals with combinations of, 
As an aside, it may be noted for the sake of complete- and combinatorial processes performed on, the bits of a 
ness that public key encryption is a relatively new idea "seed" cryptographic key in order to produce a new, 
originating with Diffie and Hellman. Reference W. often larger and pennissively much, much larger, cryp- 
Diffie and M.E, Hellman, "New directions in cryptog- tographic key, or "keystream", that is typically as, or 
raphy", IEEE Trans. Information Theory, IT-22, Vol 25 more, cryptographically secure than is the "seed" cryp- 
6, Nov. 1976, pages 644-654. Public key encryption is tographic key itself. The combinatorial processes are 
based on asymmetric algorithms. The idea is this. The typically recursive, and may typically be used to pro- 
receiver generates a random number which is then duce cryptographic keystreams of any desired length, 
transformed into two keys: a public key and a private The typically long output cryptographic key, or keys- 
key. The public key is insecurely transmitted to the 30 tream, is usefully used to encrypt plain text, or to de- 
sender. The sender encodes the message with the public crypt cipher text, data by any number of conventional 
key and then insecurely transmits the cryptogram to the cryptographic processes, including by a one time pad. 
receiver. The receiver decodes the cryptogram using The combinatorial processes of the present invention 
the private key. This system is practical provided that a) are described as "amorphous", meaning that they are 
the problem of decoding the cryptogram with the pub- 35 not the same from time to time, and over time. The 
lie key is cryptographically intractable, b) deriving the amorphous processes, should the one in use at any par- 
private key from the public key is cryptographically ticular instance not be known to a code breaker, present 
intractable, c) the generation of the public and private a great practical difficulty to a cryptoanalyst in discern- 
keys is simple, d) encoding with the public key is simple, ing either (i) the "seed" key, or fii) the amorphous pro- 
and e) decoding with the private key is simple. 40 cess(es) operating thereon, from the output keystream. 

The only practical public key system that has sur- Of course, the output keystream is intended to be secret, 
vived scrutiny is the patented RSA system invented by and unavailable to the cryptoanalyst who typically has 
Rivest, Shamir, and Adleman in 1978. Reference R. only cipher text data. 

Rivest, A. Shamir and L. Adleman, "A method of ob- Accordingly, the strength of the present invention is 
taining digital signatures and public-key cryptosys- 45 that when a cryptographic "seed" key is itself "en- 
tems", CACM, Vol. 21, No. 2, Feb. 1978, pages crypted", and is the used to encrypt data, then CO the 
120-128. The encryption formula is C=E(Ks, problem of cryptoanalysis is magnified simultaneously 
M)=M*'mod N. (The Micali-Schnorr random number that (ii) the utility of the key is enhanced. The crypto- 
generator is a RSA system.) Note that the security of graphic "seed" key must be so "encrypted" without 
even the DES is suspect. Reference John C. Dvorak, 50 destroying its functional utility as a cryptographic key. 
"Inside Track", PC Magazine, Vol. 11, No. 5, Mar. 17, It is so "encrypted" by the combinatorial methods of 

1992, page 95. Reference also BYTE magazine, May the present invention. The utility of the key is enhanced 

1993, Vol. 18, No. 6 at page 130. because the combinatorial methods normally magnify 
Trie Applicant, at various points, employs a permuta- the length, and thus the attendant utility, of the key. 

tor to resolve a "permutation selector" into a sequence 55 2. The Nature of Amorphous Processes for Keys- 
of permuted indexes. The basic algorithm used follows tream Generation 

one due to Moses and Oakford (reference L.E. Moses The present invention deals with combinations. Spe- 
and R.V. Oakford, "Tables of Random Permutations", cifically, the invention deals with taking a subset of bits 
Stanford University Press, 1963) and to R. Durstenfeld from a set of (generally, substantially) random bits in 
(reference R. Durstenfeld, 1964, CACM, Vol 7, page 60 some order. This combinatorial process is generalized 
420). The method cited requires one multiplication per to include subsets which contain multiple instances of 
permuted index generated. A variant method based on bits from the set. The generalized combinatorial pro- 
division is reported by Knuth in his series "The An of cess, is called an "amorphous process"; the subset of bits 
Computer Programming", specifically in "Volume 2: produced by the amorphous process is called an "amor- 
Seminumerical Algorithms", Addison-Wesley, second 65 phous partition." Amorphous partitions also (generally) 
edition, 1981. This later method requires fewer bits in include logical complementing of selected bits. The 
the permutation selector. An optimum permutation term "amorphous partition index" (or "partition index" 
algorithm with respect to permutation selector size may for short) refers to a particular partition given (i) a set 
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and (ii) some partitioning scheme. The term "amor- with the amorphous partition index a selected set of bits, 
phous stream" refers to the subset output through a 3.2) a sequencer for sequentially ordering the selected 
partition. set of bits in accordance with the amorphous partition 

In order to illustrate these concepts, consider a set of index to produce an ordered selected set of bits, and 3.3) 
64 KB of random data, i.e. 524,288 random bits. Call this 5 a logical complimenter for logically complementing the 
set a "seed", or "base" key. Base key partitioning, the ordered selected set of bits in accordance with the 
"amorphous process" of the present invention, fall into amorphous partition index to produce a !ogically-com* 
three classes: expansion, equivocation, and contraction. plemented ordered selected set of bits called an amor- 

For expansion, the partition index has fewer bits than phous bitstream. 
the amorphous stream. Say, for example, that the parti- 10 By these elements, and these functions, a generalized 
tioning scheme is such that partition indexes are 3 KB combination with substitutions is performed on the base 
and the subsets selected are 60 KB. Given an initial cryptographic key in accordance with the amorphous 
partition index (PIO), a 60 KB subset can thus be gener- partition index. More particularly, the generalized com- 
ated. The first 57 KB of this subset (amorphous stream) bination with substitutions performed on the base cryp- 
is output as a keystream component (KS1) with the 15 tographic key— which base key is itself an essentially 
iernaining 3 KB used as the next partition index (PI1). random set of bits— in accordance with the amorphous 
Thus feedback yields the series KS1, KS2, . . . which is partition index— which partition index is itself an essen- 
defined as the keystream (KS). tially random number— by the amorphous processor 

For equivocation (loosely defined), the partition constitutes a process fairly describable as amorphous, 
index is the same size as the amorphous stream. This 20 This is exactly why the amorphous processor is called 
critical case will produce no output (i.e. NULL={KS1, such, and is likewise why the set of bits produced by the 
KS2, . . .}) and thus is not a practical system in a feed- amorphous processor is called an amorphous bitstream. 
back configuration. Clearly the amorphous process by which the base 

For contraction, the partition index is larger than the cryptographic key is used to produce the amorphous 
amorphous stream. Amorphous contraction can be 25 bitstream is, because it is a generalized combination 
made practical by using an insecure keystream of suffi- with substitutions, itself in the nature of a cryptographic 
cient length used as a sequence of partition indexes or transform. 

possibly as a sequence of base keys also. E.g., the bit- The amorphously-produced amorphous bitstream is 
stream output of a linear congruential generator may be usable as a cryptographic key likewise as is the base 
separated into a series of base keys and partition in- 30 cryptographic key from which it is derived, 
dexes. A process will also be called "contractive" if Notably, no order has been imparted to the crypto- 
base key and partition index pairs are employed wherein graphic keystream by the amorphous transformation 
the amorphous stream from each pair is smaller than the thereof. This is very useful— long keystreams may be 
input, i.e. the base key and partition index pair input to generated from short, "seed", keys without imparting 
the process. The conjecture of the present inven- 35 order during the process of keystream generation, 
tion— supported by statistical tests— is that resulting [ In greater detail, the 3.1) selector of the 3) amorphous 
"contracted randoms" output will be cryptographically processor of the machine permissibly selects from the 
secure, base key, in accordance with the amorphous partition 

To complete the description of the amorphous pro- index, a subset of bits that includes multiple instances of 
cess, some base key bit order selection (the path) must 40 bits of the base key set. The selected set permissively 
be specified. Further, a XORing (substitution) compo- contains more bits than are within the base key. 
nent must also be described. The DESCRIPTION OF Further in accordance with the present invention, a 
THE PREFERRED EMBODIMENTS section of this cryptograph (an "encryption means") may use the 
specification contains the details for several methods of amorphous bitstream produced by the amorphous pro- 
path and substitution control, and the preferred struc- 45 cessor as a cryptographic key in a cryptographic trans- 
ture of a keystream generators for implementing such form. 

path and substitution control. The machine of the present invention generating an 

3. Summary Descriptions of Expanding, and Con- extended-length cryptographic key permissiyely still 
trading, Amorphous Process Keystream Generators of further includes 4) a feedback circuit, receiving the 
the Present Invention 50 amorphous bitstream from the amorphous processor, 

The present invention is embodied in a digital elec- for mapping the received amorphous bitstream into (i) a 
tronic machine for generating a cryptographic key by new amorphous partition index and (ii) a keystream 
processes similar to those normally associated with portion, and for feeding back the new amorphous parti- 
encryption of plain text data. The machine includes 1) a tion index to the amorphous processor for use therein 
base key source for providing a set of essentially ran- 55 and thereby; and 5) a recursive control means for repeti- 
dom bits defined as a base cryptographic key, 2) a parti- tively cyclically exercising the amorphous processor 
tion index source for providing an essentially random and the feedback means so that, over a plurality of 
number called an amorphous partition index; and 3) an cycles, a plurality of amorphous bitstreams are pro- 
amorphous processor receiving the base key from the duced by the amorphous processor and a plurality of 
base key source means and the amorphous partition 60 keystream portions are produced by the feedback 
index from the random number source. means. By these elements, and this operation, the amor- 

The 3) amorphous processor act to perform on the phous processor recursively performs on the base key 
base key a generalized combination with substitutions in successive generalized combinations with substitutions 
accordance with use of the amorphous partition index in accordance with successive amorphous partition 
as a directive in order to produce another essentially 65 indices in order to produce a plurality of successive 
random set of bits called an amorphous bitstream. In amorphous keystream portions. This plurality of succes- 
order to do so, the 3) amorphous processor includes 3. 1) sive amorphous keystream portions constitute, in aggre- 
a selector for selecting from the base key in accordance gate, the extended-length cryptographic key. 
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Notably, this recursive amorphous process by which The present invention further contemplates the keys- 
the base cryptographic key is used, in successive cycles, tream generation method, and apparatus, of a **state 
to produce the extended-length cryptographic key is, machine". The term "state machine" is used somewhat 
because it is still a generalized combination with substi- liberally here. Normally, a desired set of state transi- 
tutions, still itself in the nature of a cryptographic trans- 5 tions are first specified and are then transformed into a 
f orm state machine. However, the opposite is done in the 

In still greater detail, the 4) amorphous processor "state machine" of the present invention. In the present 
typically includes a mapping circuit which expands a invention a "state machine" is specified in which the 
received amorphous partition index into an amorphous resulting state transitions are desired to be the series SI. 
bitstream of a greater number of bits than are within the W S2, S3, ... until the machine begins repeatmg. In other 
amorphous partition index. A feedback of the new words, the state machine method, and state machine, is 
amorphous partition index thus leaves one or more bits a ™*> m ™ te generator with an output se- 

for the keystream portion. Because the amorphous pro- nes 01, 02 03 used as Ae keysueam 
cess produces a number of bits beyond the partition Again, \l S *ZT C n ~"J?Z» 

mdexS^e amorphous prcce^ 15 

process and the amorphous processor is called an ex- wubc uiuca . *u« * 
p m*v uu „ a particular way to yield (i) a transition function and (ii) 

pandmg amorphous processor an output function. The state machine method can be 

The machine of the present mvention generating an ™ £ amorphous process de- 

e^ded-length^tographic key permissively -ttB «^ l. by mVerpretiig the func- 

fiirther mcludes 6) a random number source for proved- ^ ^ ^ ^ ^ ^ 

mg a supply of essentially random numbers and 7) a ^ t ^ ^ ^ %Q ^ 

cycle control means for repetitively exercising the scheme. 

amorphous processor and the random number source so fa preferred operation, the state machine method 
that, over a plurality of cycles, a plurality of amorphous ^ ^ a key ^ vaJueS) a •• mach ine index" and a 
bitstreams are produced by the amorphous processor. %%mt variable » F rom these it amorphously forms a 
The random number source provides for a new amor- vdue me « garbage index". This garbage index is 
phous partition index for each cycle, or m addition, the decomposed into a plurality of fields which define, 
random number source provides for a new base key for through a fairly involved process, a '^transition func- 
each cycle as well. The entire amorphous bitstream is 3Q ^ m » output function". The process includes 
used as a keystream portion; the plurality of successive ^ amorphous generation of operands which are then 
amorphous keystream portions constituting, in aggre- manipulated in a plurality of operations selected via the 
gate, the extended-length cryptographic key. garbage index. 

In this embodiment of the machine in accordance jhe "amorphousness" of the state machine, and the 
with the present invention using the 6) random number 35 state machine method, lies in that operands and opera- 
source, the amorphous processor includes a mapping ^ons are selected via an expansion of the machine index 
circuit which contracts a received amorphous partition ^ state variable wherein the expansion is intrinsically 
index into an amorphous bitstream of fewer bits than the without form, and amorphous, 
amorphous partition index. Accordingly, a source of The conjectured cryptographic security of the state 
amorphous partition indexes is necessary to produce a machine of the present invention results from the amor- 
keystream. Moreover, because the amorphous process phous selection of both (i) the operands and (ii) the 
produces a number of bits fewer than the partition index operations applied to the operands. It is respectfully 
size, the amorphous process is called a contracting pro- suggested that this dual amorphism is a fairly powerful 
cess and the amorphous processor is called an contract- idea, and that it is likely to be exceedingly difficult for a 
ing amorphous processor. 45 cryptoanalyst to re-evolve the (i) key and/or (ii) the 

Of great importance, the 6) random number source state machine from just the output keystream. More- 
may be based on a cryptographically insecure random OV cr, it should always be remembered that the output 
number generator! The cryptographic security of the keystream itself is normally kept secret, and used to 
plurality of amorphous bitstreams, and of the crypto- encrypt or decrypt data. 

graphic key, generated by the machine is achieved by 50 5. The State Machine In Accordance With the Pres- 
the contraction process, and not by the "randomness" ent Invention Embodies At Least Two Ideas Promoting 
of the numbers generated by the random number gener- the Cryptographic Security of the Generated Key 
ator! As introduced in section 4, above, the basic idea of 

A preferred -random number source is an expanding the state machine method is to form the so-called "gar- 
amorphous processor in a feedback configuration. In 55 bage index". The garbage index plays an analogous role 
this case the cryptographic security of the plurality of to that of the partition index in the amorphous expan- 
amorphous bitstreams, and of the cryptographic key, sion and contraction methods briefly described in sec- 
generated by the machine is achieved by the contrac- tion 1. above. However, instead of defining an amor- 
tion process. Moreover, because the expanding amor- phous stream through a partition, a garbage index de- 
phous processor of the random number source expands 60 fines a next state variable and an output value (i-e. a 
while the mapping means of the amorphous proces- keystream fragment) through a two functions: an output 
sor — which amorphous processor uses the random function and transition function, 
number as a new amorphous partition index and a new The partition index specifies a function which selects 
base key for each cycle— contracts, the entire process is bits from the base key. Analogously, the garbage index 
called an amorphous teeter-totter process. 65 specifies a function (actually two) which selects bits 

4. In Accordance with the Present Invention, Keys- from the machine index and state variable, although this 
treams Can Also be Generated by the Method, and is not a direct selection: a transformation is a more accu- 
Apparatus, of a "State Machine" rate description. 
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A first idea expressed in the preferred embodiment of injecting dependency bits into the fields at points se- 
method, and the state machine, of the present invention lected by a dispersed emission stream of dependency 
is to interpret the so-called "garbage index" as a collec- bits. 

tion of fields. Some fields specify operands, others spec- An evaluation means interprets the fields of the tran- 
ify operations, still others specify the order of opera- 5 sition function and output function as directives so as to 
tions and operands, still others specify the expansion of perform selected operations on selected operands. The 
fields, and/or still others do all sorts of strange things. selected operations on the formed operands producing 
Some of the strange things possible are described in the intermediary results which are used as operands for still 
DESCRIPTION OF THE PREFERRED EMBODI- additional operations that are selected with additional 
MENTS section of this specification. 10 fields. The evaluation process terminates after a prede- 

Once operands are formed and operations selected, termined number of levels, producing a final result, 
the results from these operations provide values which A state transition permits the process to continue, 
can be treated as additional operands. Further fields A plurality of keystream fragments result 
from the garbage index can now provide more "opera- A concatenation of successive keystream fragments is 
tion indexes" to further transform the result operands. 15 defined as the keystream. 

Many levels of operations can be performed before a 7. Summary Statement of Merit of the Present Inven- 
final result is obtained. The total of such intermediary tion 

operations defines an output or transition function, The expanding amorphous process of the present 
though these functions could share some, or most (as in invention is functionally and computationally simple, 
the preferred embodiment) of the intermediary opera- 20 The amorphous processes of the present invention may 
tions. be dramatically contrasted with the conventional 

Another, second, major idea expressed in the pre- wisdom of "small key" systems which attempt to get 
ferred embodiment of the method, and the state ma- the most 4 *mileage" possible out of a small key. The 
chine, of the present invention is the use of dependency existing small key paradigm holds that larger key sys- 
bits. These dependency bits serve provide a pool of 25 terns should be formed by combining the analyzed corn- 
random bits used in such things as field expansion or ponents of small key processes, 
operand formation. A dependency table could be gener- The expanding amorphous process of the present 
ated by an amorphous process using the machine index invention is almost the complete opposite to prior cryp- 
and state variable directly as a base key and partition tographic key generation and key management systems, 
index. However, this requires that the state variable and 30 The present invention starts with a large key and then 
particularly the machine index be random values; an uses the simplest possible, almost trivial, operations to 
undesirable constraint necessary for generation of a form a secure keystream. Instead of optimizing the 
fairly random dependency table. To circumvent this "miles per gallon" of a small key, the expanding amor- 
problem, the preferred embodiment uses the machine phous process of the present invention taps into a virtu- 
index and state variable to form seed(s) for use in a 35 ally infinite supply of possibilities and ''inefficiently" 
conventional random generators) such as a congruen- converts these possibilities into the reality of a keys- 
tial multiplier. The random output is then amorphously tream— a keystream that is effectively distinct from the 
compressed to form a dependency table which is not large key from which it was derived! 
only random regardless of the input, but also securely From an analytic, and also a philosophic viewpoint, 
derived. 40 the expanding amorphous process of the present in ven- 

6. Summary Description of a State Machine Keys- tion is arguably quite appealing: it exploits the infinite 
tream Generator in Accordance With the Present In- via the simple. The method's merit results from avoid- 
vention ing the "complexity" which historically has proven to 

In accordance with still another embodiment of the be, all too often, less than effective, 
present invention, a state machine serves to generate an 45 The difference between the approach of the present 
extended-length cryptographic key by non-linear pro- invention and prior approaches to cryptology boils 
cesses that are normally associated with encryption of down to the use of, and the reliance upon, a complexity 
plain text data. The state machine operates to transform which is disperse versus a complexity which is dense, 
a state variable into an keystream fragment and a next The merit of the disperse complexity of the present 
state variable in accordance with a directive called a 50 invention is in its clarity. Contrast the dense complexity 
machine index. of prior art small key systems: which complexity is 

A preferred embodiment of the state machine in- problematic in that the complexity of such systems may 
eludes a dependency formation circuit for generating a be illusionary. 

plurality of random bits from the machine index and The expanding amorphous process of the present 
state variable. These dependency bits serve as depen- 55 invention is, with all its disperse complexity (which is 
dent parameters for subsequent operations. The depen- actually its simplicity), arguably more attractive then 
dency formation circuit consists of, for example, a con- prior art small key systems based on dense complexity 
gruential multiplier random generator. in that a sufficiently complete analysis of the crypto- 

Further included is a garbage index formation circuit graphic security of the process of the present invention 
for deriving from the machine index, the state variable, 60 is not only possible, it is highly believable that such an 
and the dependency bits a garbage index. The garbage analysis is indeed thorough! As previously explained in 
index formation circuit may consists, for example, a the BACKGROUND OF THE INVENTION section, 
streaming CEM. the cryptographic security of small key (dense complex- 

A parsing means decomposes the garbage index into ity) systems depends strongly on the intractability of 
a plurality of fields which provide for a transition func- 65 obtaining any reverse solution to the mathematical algo- 
tion and an output function. rithm upon which the key generation is based. 

A field expansion means explodes certain fields. The While the expanding amorphous process of the pres- 
field expansion circuit may so operate, for example, by ent invention has the drawback of having a large stor- 
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age requirement for keys, this liability can be mitigated FIG. 10 is a block diagram of the unpacker used to 

significantly by expanding a small seed key into the form function indexes from packed function indexes for 

much larger base key only when needed. Furthermore, use in the state machine of FIG. 8. 

an expanding amorphous processor in accordance with FIG. 11 is a block diagram of the operand maker used 

the present invention— although simple and straightfor- 5 to form operands for use in the state machine of FIG. 8. 

ward in the data manipulations that it performs — is DESCRIPTION OF THE PREFERRED 

generally larger, and requires more silicon real estate, EMBODIMENTS 

than would, for example, a Data Encryption Standard . 

(PES) chip. Again, this is not a prohibitive factor con- 1. Amorphous Processes for Keystream Generation 

sidering that the price per transistor of integrated cir- 10 The keystream generators of the present invention in 

cuitry is already low, and is seemingly spiraling down- their various forms have, as their primary principle of 

wan £ operation, the concept of performing an "amorphous 

A strong case can be made that the small key para- Process". Accordingly it b immediately appropriate* 

digm of the prior art is an anachronism which emerged «P lam more what amorphous process 

from the pencil and paper era of encryption. In an era of 15 B * M , „ _ - ^ , . n „ 

mtegra^^ 

expanding amorphous process of ^present invention <° g selection of certaii base 

is indeed pound wise and yet penny frugal. * ^ 

The merits of the con^ 

the present invention are smular to the menu of the of £ ^ ^ lo ^_ 

expanding process because the contracting case is sun- complemented. Or in other words, a "partition" is 

plyanother mode of the amorphous process permuted generalized combination with substitutions. 

The state machine, and state machine method, of the ^ bits Elected via some partition form a sequence 
present invention is probably the least attractive of the 2J m hous st ream". A "partition index" is 
three machines, and three methods, of the invention. value which specifies a partition under some partition- 
However, the state machine is still interesting because it . method| Le< a "partition index" fully specifies how 
is in essence a combination of the expanding and con- ^ amorphous stream is to be selected from the base 
tracting amorphous processors. Or in other words, the kev 

state machine is a complex version of the amorphous 3Q ^ amorphous process is conveniently divided into 
teeter-totter. This teeter-totter action results from the three Masses. An "expanding" amorphous process re- 
expansion and contraction which occurs at each transi- sults from a partitioning method in which the partition 
tion. Since the amorphousness of both operations is indexes are smaller than the amorphous streams pro- 
high, the resulting random output should be secure, and duced. A "contracting" amorphous process results 
was empirically found to be highly random. 35 wnen the partition indexes are larger than the amor- 
These and other aspects and attributes of the inven- phous streams produced. And finally, an "equivoca- 
tion will become increasingly clear upon reference to tion" process is one with the same size of indexes as the 
the following drawings and accompanying specifica- amorphous streams. This last critical point case is still 
tion. called equivocation even if a particular partitioning 

BRIEF DESCRIPTION OF THE DRAWINGS 40 me ? ho <? is L not «W>« ™ ou |? to c P rovide £f t f Ue ., eqU ;^ 

cation in the sense defined by Shannon. The limits of the 

FIG. 1 is a block diagram of a keystream generator ratios of amorphous expansion or contraction are both 

using an expanding amorphous process in a feedback infinite, though in practice a finite ratio must be used to 

configuration. construct a practical system. 

FIG. 2 is a block diagram of the holdback multiplexer 45 x 0 implement the "key extension" method of the 

used to form an amorphous stream for the expanding present invention, an expanding amorphous process is 

process of FIG. 1. used to generate a keystream from a given initial parti- 

FIG. 3 is a block diagram of an emission generator tion index. The amorphous stream from the initial parti- 
used to form element emissions which are then multi- tion index will provide a "next" partition index with the 
plexed in the expanding process of FIG. 1. so excess bits used as part of the keystream. Continuing 

FIG. 4 is a block diagram of an emission generator with successive partitions results in the generation of a 

used to form element emissions by a dispersed selection keystream. . 

process which are then multiplexed in the expanding To implement the "contracted randoms" method of 

process of FIG. 1. the present invention, a contracting amorphous process 

FIG. 5 is a block diagram of a message key exploder 55 is applied to the output of some pseudo random number 
which expands a small message key into a larger parti- generator to produce a more secure keystream. Addi- 
tion index for use in the keystream generator of FIG. 1. tional security is achieved since amorphous contraction 

FIG. 6 is a block diagram of a keystream generator will hide the underlying method of random number 

using a contracting amorphous process to contract a generation. Alternatively, a contracting process could 
random number stream into a secure keystream. 60 follow an expanding process thus eliminating mathe- 

FIG. 7 is a block of the "hashed division" index ex- matical random number generation entirely. This con- 
tractor used to generate permutations for use in the figuration of expansion followed by contraction is 
contracting amorphous process of FIG. 6. called the "amorphous teeter-totter". 

FIG. 8 is a block diagram of a keystream generator To better understand the amorphous process, con- 
using a state machine to generate random numbers. 65 sider an expanding process consisting solely of transpo- 

FIG. 9 is a block diagram of the random generator sitions. The base key is first divided into a plurality of 

used to form dependency bits via a contracting amor- contiguous items called elements. For a given element 

phous process for use in the state machine of FIG. 8. of, for example, 1024 bits, the number of possible paths 



04/30/2004, EAST Version: 1.4.1 



5,297,207 

17 18 

therein is a very, very, large number, with the actual through element descriptor N 21, holdback register one 
value being 1024!. Since expansion is desired, a much (1) 24 through holdback register N 25, and several inter- 
smaller set of all paths must be selected. Furthermore, nal registers within holdback multiplexer 28. 
these paths should be simple with respects to transition After the partition information is stored, control is 
complexity and the number of internal values necessary 5 passed from partition extractor 18 to holdback multi- 
to represent any point in the path. One adequate class of plexer 28. Holdback multiplexer 28 first zeros the count 
paths which requires only two internal values is the field in emission register one (1) 26 through emission 
FRONTs and TAILs method. Here, the path "FT" register N 27. Holdback multiplexer 28 then generates 
denotes the sequence Fl, Tl, F2, T2, F3, T3, etc where amorphous stream 33 which is sent to stream router 30. 
Fl is the first bit of the element, F2 is the second bit, and 10 The details of this generation process axe described 
so on, and where Tl is the last bit, T2 is the second to shortly below. Stream router 30 first passes received 
the last bits, and so on. The sequence of bits from an amorphous stream 33 into a next partition index stored 
element selected by a path is called an "element emis- in partition index register 16. The remainder of amor- 
sion". phous stream 33 is passed as keystream 31. 

The FRONTS and TAILs method give rise to paths 15 Once amorphous stream 33 is completely generated, 
such as {F, T, FT, FFT, FFTT}, with each path defin- control is returned from holdback multiplexer 28 to 
ing a different element emission. To form the amor- partition extractor 18, which proceeds to carve a new 
phous stream for a given partition, all of the element partition with the new partition index just generated, 
emissions must be multiplexed together in some manner. Utilizing feedback as described, this process repeats 
While these emissions could simply be taken one after 20 resulting in a keystream 31 of desired length, quite pos- 
the other in some permuted order as was done with sibly very long. 

transposition block ciphers, a better multiplexing The operational details of holdback multiplexer 28 
method should be employed to complicate correlating are now described. FIG. 2 depicts the internal structure 
an amorphous stream with the base key. of the multiplexer. First, the emission count reset stage. 

One such better method which is sufficiently simple is 25 Multiplexing controller 51 initializes emission counter 
the holdback multiplexer which views all the elements 46 with the maximum number of elements. Multiplexing 
as a permuted set but forms the amorphous stream by controller 51 then successively zeros the count field in 
taking one bit at a time from successive element emis- emission register N 27 through emission register one (1) 
sions in their permuted order. In addition, each element 26 using emission counter 46 to address the emission 
is associated with a holdback count which is decre- 30 registers. Emission counter 46 is decremented at each 
men ted each time the multiplexer outputs a bit from that cycle until the counter reaches zero, which means that 
element emission. When the holdback count reaches all the emission count registers have been reset 
zero, the pending bit in the element emission is "held The generation of amorphous stream 33 by multiplex- 
back" at that point with the multiplexer continuing with ing controller 51 is described next. The usual case for 
the next element emission. The holdback counter is 35 generating an amorphous bit is described first, with the 
reset to some fixed value with the "held back** bit out- various sub-cases described thereafter, 
put during the next pass. Target register 44 is read to provide for a target ele- 

Substitution can readily be included in the above ment. Target register 44 selects an emission count regis- 
partitioning method. Let Fc denote the logical comple- ter (26-27) whose value is read and stored in emission 
ment of a "front bit** and similarly Tc for tail bits. Now 40 counter 46. Emission counter 46 is then decremented, 
the set of paths could become {F, Fc t T, Tc, FT, FcT, Target register 44 also selects a current holdback regis- 
Ftc, FcTc}. Annihilation can also be readily included ter (24-25) whose value is read and stored in holdback 
by interpreting some of the leading bits in each element counter 50. Holdback counter 50 is then decremented, 
as a "bole" which are excluded from the element emis- Target register 44 further selects an emission fragment 
sions. 45 register (26-27) whose value is read and stored in shift 

The details of mapping partition indexes to partitions register one (1) 48. Multiplexing controller 51 pulses 
will be given in greater detail shortly below; however, shift register one (1) 48 to obtain a bit which is sent as 
it should be fairly clear how this could be done. Of note, the next part of amorphous stream 33. 
finer and finer partitions can be made until a contracting The selected emission fragment register (26-27) is 
process is reached. Furthermore, by using larger and 50 updated by writing to it the modified contents of shift 
larger number of bits to select the permutation of ele- register one (1) 48 via emission bus 23. The selected 
ments (this can be done in a very general way), any current holdback register (24-25) is also updated by 
contraction ratio desired can be readily obtained. Other writing to it the modified contents of holdback counter 
partitioning methods and generalization will be also be 50 via holdback bus 29. Further, the selected emission 
described in this section below. 55 count register (26-27) is updated by writing to it the 

The key extension method of generating a keystream modified contents of emission counter 46. Finally, tar- 
is now described, as depicted by expanding amorphous get register 44 is updated by storing to it the value of the 
process keystream generator 32 of FIG. 1. An initial next field of the element link register (40-42) selected 
partition index 15 is sent to partition index register 16, a by the target register. 

partition descriptor 13 is sent to partition descriptor 60 Now for the sub-cases. If the value read from the 
register 14, and a base key 11 is sent to base key ram 12. selected emission count register (26-27) is zero, then 
With the processor thus initialized, the first partition is multiplexing controller 51 sends a emission refill request 
then carved. Partition extractor 18 receives a partition (and the contents of target register 44) via emission bus 
index from partition index register 16 and a partition 23 to emission generator 22. Emission generator 22 
descriptor from partition descriptor register 14. Parti- 65 gains control and refills the selected emission register 
tion extractor 18 then carves a partition with respects to (26-27). Emission Generator 22 returns control by send- 
base key ram 12 and stores the partition information in ing an emission refilled signal to multiplexing controller 
the following registers: element descriptor one (1) 20 51, multiplexing then continues with the same element. 
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If holdback counter 50 is zero upon being decre- ration would be significantly decreased because of the 
xnented. a holdback occurs. Multiplexing controller 51 additional bits required to define the various partitions, 
then reads the master field of the holdback register The operational details of partition extractor 18 of 
(24-25) selected by target register 44 with the master FIG. 1 are now described for path picking partitions 
value written back to current field of selected holdback 5 based on the FRONTS and TAILS method. See also 
register. Multiplexing continues at the update point for FIG. 3 for a depiction of the corresponding (path pick- 
target register 44. ing) emission generator 22a. Dispersed partitions, alter- 

If a refill request to emission generator 22 cannot be natively, can be employed. Dispersed partitions will be 
satisfied, i.e. when the selected element's emission is described at a later point 

exhausted, then control is returned immediately by 10 Without loss of generality a 64 KB (KB = kilo bytes) 
sending an element exhausted signal to multiplexing base key RAM 12 will be partitioned using 26,113-bit 
controller 51. The exhausted target element is "deleted" partition indexes. Each partition index is composed of a 
by unlinking the element selected by target register 44 4,097-bit permutation selector and 512 43-bit partition 
from the doubly linked list of element link register one element specifiers. The partition element specifiers, 
(1) 40 through element link register N 42 by modifying 15 taken one after the other, carve the KB base key into 
the proper registers therein. Target register 44 is also 512 contiguous partition elements in a manner yet to be 
advanced. If another element exists, the multiplexing described. The permutation selector is applied to a 
continues. If, however, the deleted element was the last (hashed division) permutator with N=512, yielding a 
element, multiplexing controller 51 returns control to permutation on the partition elements. It is this pennu- 
partition extractor 18 by sending an emissions exhausted 20 totion information, formatted for a doubly linked list, 
signal via holdback bus 29. which » sen* from partition extractor 18 to holdback 

Holdback multiplexer 28 could be enhanced in the multiplexer 28 for storage in element link register one 
following manner to emit a plurality of bits at each 0) 40 through element link register N 42. 
element stage. To this end, each element specifier „ The following table shows a typical partition of the 
would include a cycle list specification with the multi- 25 fading ™? trailing elements, carved using consecutive 
plexer now employing an array of registers to hold the P^ 00 clementspecifiers but numbered with the per- 
cycle lists. (Alternatively, a global cycle list could be muted md f xes - ™ e "V™?* 0 ™ P*™ 100 clements 
used to keep the size of partition indexes small.) Con- ^ c ™ c ^ the 64 KB base key 12. 

sider the cycle list of {3, 1, 2, 1}. The multiplexer would ^ TABLE I 

cyclically access this list. The first modifier of 3 would 
cause three successive emission bits (instead of one) to 
be emitted into the amorphous stream during that ele- 
ment emission multiplexing stage, then 1 bit, then 2 bits, 
and then 1 bit (then repeat) emissions on the successive 35 
concatenating phases for that element emission. 

Another enhancement for holdback multiplexer 28 
would be to employ a plurality of element permutations 
with each permutation associated with a chain. Each 
chain would require an additional array of element link 43 
registers to hold its permutation. Here, the multiplexing 
would proceed as before starting with the first chain but 
only processing elements until the starting link of that 
chain is reached. Then the next chain would be pro- The seven fields which comprise each 43-bit partition 
cessed until all its elements are swept once, and then so 45 element specifier are shown in the table below. The use 
on. Once all chains are swept, processing would begin G f these specification fields will be described in due 
again with the first chain. This "chained" generalized 
multiplexer requires more memory in the form of ele- 
ment link registers, but its operation is only slightly 
more complex. 50 

Another multiplexing enhancement would be to ter- 
minate the partition once the number of remaining ele- 
ments reaches some threshold. This aborting is desirable 
in order to thwart the possibility of correlating the base 
key with the trailing portion of an amorphous stream. 55 
Without this truncation, the trailing portion would con- 
tain multiplexed bits from too few elements thus making 
that portion cryptographically weak. This truncation The size specification is used to select the number of 
can be done with only a minimal loss of amorphous bits in a given partition element. The formula used is 
stream. 60 SIZE =512+ size specification. This results in elements 

Another multiplexing enhancement would be to em- ranging from 512 to 1535 bits with an average size of 
ploy independent current/master holdback registers in about 1024 bits. Handling partition indexes which re- 
conjunction with "chained 1 * multiplexing. Or in addi- quest more bits or less bits than the base key are handled 
tion, independent element descriptors and emission by dropping some elements if necessary and adjusting 
fragment/count registers could be used resulting in the 65 the size of the last element to the remaining number of 
multiplexing of a plurality of independent partitions. bits. 

Though this would require vast more memory and also The hole specification selects the number of leading 
reduce the generation efficiency since the expansion bits (0 to 31) in a given partition element which are not 



ELEMENTS 


BIT SIZE 


E35 


910 


E219 


1075 


E74 


1384 


E90 


575 


E412 


1122 


EI9 


1501 


E315 


1101 


ES9 


1192 


E500 


1320 


E9 


535 
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TABLE II 


FIELD NAME 


SIZE 


size specification 


10 bits 


hole specification 


5 bits 


master holdback specification 


A bits 


initial holdback specification 


4 bits 


initial hem specification 


10 bits 


path picking specification 


3 bits 


truncate specification 


5 bits 
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emitted. Only those bits beyond the hole are emitted subset of the most probable emissions quite large in 
through path picking. The path picking specification itself. (See Appendix 4 for an analysis.) 
selects the order and polarity in which the non-hole The preceding description of element emission for- 
partition element bits are emitted. Each "substitutive" mation was intended as an abstract In practice, the 
path is a list containing one or more bit emitter control- 5 element parameters such as SIZE and INITIAL are 
lers. The possible controllers are F (emit a front), Fc transformed into parameters which lend themselves to a 
(emit a front as complemented), T (emit a tail), and Tc more practical formation of element emissions. It is 
(emit a tail as complemented). The non-hole bits se- these "practical" parameters which are stored in de- 
lected by a path form a sequence called the element ment descriptor one (1) 20 and element descriptor N 21. 
output The following table defines the path for a given 10 FIG. 3 depicts (path picking) emission generator 22a 
picking path specification (which ranges from 0 to 31): wn ich uses these "practical" parameters to generate 

element emissions. These parameters are labeled as 
work registers. one (1) 67. A further parameter is inter- 
nally used by path and substitution generator 74. The 
contents of work registers one (1) 67 are somewhat 
self-explanatory. More specifically, current front 61 
holds the bit address of the next FRONT bit to emit of 
the element in base key ram 12. Likewise, first front 60 
points to the first FRONT bit of the element and last 
front 62 points to the last FRONT bit The tail registers 
of first tail 63, current tail 64, and last tail 65 are defined 
as expected. Remainder 66 holds the count of the re- 
maining emission bits. 

The evaluation of element descriptor values from the 
SIZE and INITIAL parameters is straight forward. 
E.g., the first front value is derived by adding the hold 
size to the next element address. The path specification 
yields the proportion of FRONTs to TAILs, together 
30 with the SIZE, yields a value for the last front. The first 
tail is simply the successor of the last front (the first tail 
register could be eliminated from the element descrip- 
tors and computed on demand instead). The last tail is 
derived by considering the SIZE parameter and the 
35 element's starting address. The current front and tail 
' values are derived by considering the INITIAL param- 
eter and the path specification. The remainder value is 
simply the non-hole size minus the truncated bits. 
Emission generator 22a operates as follows. Upon 
40 receiving an emission refill request from holdback mul- 
tiplexer 28 via emission bus 23 (and through emission 
counter one (1) 78), emission controller 76 loads work 
The element output sequence is rotated (to the right) registers one (1) 67 with the contents of the element 
by INITIAL positions, where the INITIAL =integer( descriptor (20-21) selected by target register 44. Path 
(initial item specification ♦ number of non-hole 45 ^ substitution generator 74 is also loaded with a pa- 
bits)/ 1024). This sequence is now truncated (from the rameter from the selected element descriptor. Emission 
left) by the value of the truncation specification which controller 76 checks if work register remainder 66 is 
ranges from 0 to 31 bits. The resulting sequence is the if *>» &e refill request is terminated by sending to 

"element emission". holdback multiplexer 28 an element exhausted signal. 

The remaining partition element specifier fields, the 50 To fill fronts buffer 68 and fronts counter 69, shift 
master holdback specification and the initial holdback register two (2) 72 is first loaded with the word from 
specification, are used in forming holdback values base key ram 12 containing the bit selected by current 
which are stored in holdback register one (1) 24 front 61 (address of this word is current front 61 shifted 
through holdback register N 25. The current holdback right by say 4 bits for a word size of 16 bits). Emission 
formation formula is current holdback = initial hold- 55 controller 76 pulses shift register two (2) 72 by a num- 
back specification + 1, with values ranging from 1 to 17. ber (determined by the lower bits of current front 61) so 
For master holdbacks, the formula is master holdback that the first bit in shift register two (2) 72 is the current 
master holdback specification + 7, with values ranging front bit. Emission controller 76 then stores the contents 
form 7 to 23. of shift register two (2) 72 in fronts buffer 68. To com- 

The holdback multiplexing scheme was chosen to 60 pute the number of valid bits in fronts buffer 68, emis- 
weave the element emissions together in a manner sion controller 76 subtracts from the word size the num- 
which exasperates the problem of resolving the parti- ber of pulses needed to right justify the current front bit 
tion index from the keystream. Without holdbacks, This value is then bounded by the fronts bits available 
taking every 512th keystream bit would yield some (the difference between the last front 62 and current 
element emission which could be used to eventually 65 front 61 plus 1) and stored in fronts counter 69. 
extract the base key. Holdbacks introduce into the ex- By a similar process, emission controller 76 fills tails 
traction of element emissions an uncertainty which buffer 70 and tails counter 71 with values derived from 
results in a large list of emission candidates, with the current tail 64, first tail 63 and base key 12. 
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Emission controller 76 resets emission counter one (1) Robison, and Eagle) for the generation of both the path 

78 to zero and then begins to generate emission bits. and substitution bits, wherein this LSR would be used 

First, emission controller 76 requests and receives from globally for all elements. Alternatively, a compound 

path and substitution generator 74 a path selection bit. maximal length LSR configuration, say a STOP-N-GO 

The path selection bit selects either a fronts bit Of 0) or 5 generator, could be used to generate the path and substi- 

a tails bit (else if 1). When a front bit is selected, emis- tution bits. More complex generation schemes, say DES 

sion controller 76 pulses and receives from fronts buffer in a feedback mode or the RSA method of Micali and 

68 the next fronts bit, similarly, tails buffer 70 is ac- Schnorr, could be used. However, this additional com- 

cessed whenever a tails bit is selected. The element bit plexity is unnecessary and would degrade performance. 

85 generated is sent to XOR one (1) 80. Next, emission 10 Note that since the proportion of fronts to tails would 

controller 76 requests from path and substitution gener- not be exactly known a priori (when using a maximal 

ator 74 a substitution bit which is sent along 83 to XOR length LSR, etc), the last front bit address evaluation 

one (1) 80. The output of XOR one (1) 80 is an emission should assume a uniform 50/50 distribution of l's and 

bit which is sent along 81 to emission buffer one (1) 82. q> % for n, e pal h and substitution bits wherein extra front 

Emission buffer one (1) 82 is pulsed via clock 79 and the 15 or cxtra b5ts would ^ emitted if the distribution as 

emission bit is loaded. not exactly uniform. 

The bit address in the associated work register, either Another partitioning extension would be to include a 

current front 61 or current tail 64, is then advanced by 5^ delta eIements field m partition mdexes . Usillg ^ 

emission controller 76. A front is advanced by mere- fonnu]a C0UNT=512-delta elements would result in 

menungc^enti front 6^and if the new value is beyond 20 ^^^^^481 to 512 elements. This exten- 

last front 62, first front 60 is then stored in current front ^ would ^ ^ lc modifications ^ch as fix-ups 

6L A tail is advanced by decre^ntmg current tail 64, to ^ SI2E 7 0nnula ^ d the j^^g of partition m . 

and if the new value is before first tail 63, last tail 65 is dcxcs whQSe nQW d d Qn £ ^ elements 

then stored in current tail 64. value. 

JSrlSSSL e ~'r ZVL^JlS ST 25 A" 0 *" Partitioning extension would be to include a 

counter 69 or tails counter 71, is decremented. IF the irk ... 4 . r - . , . • . . . . - . . 

associated element counter is now zero, the associated "Mm ratote field m partition indexes. This rotate field 

buffer and counter are refilled by the procedure de- T 1 w . fn^wf^?^ *T 1 ♦ 

scribed above from the lst to 1024th blt of ^ kev > ehminat- 

Emission controller 76 pulses emission counter one 30 in * knowledge of the initial elements edge. The last 

(1)78 to accrue for the loaded emission bit. Work regis- unpennuted dement would now contain the 

ter remainder 66 is then decremented. If remainder 66 is ^ ra pi*f b,ts from ? ont ba * kev - Nole 

now zero or if emission buffer one (1) 82 is full (detected «Mittanal registers would now be needed to parameter- 

by checking the contents of emission counter one (1) ™ e wrapped element. 

78), the emission generation terminates, else, another 35 Another partitioning extension would be to expand 

emission bit is generated. the P atn P ickin fi table. To this end, another hole specifi- 

Upon emission generation termination, emission con- field and a differential specification field 

troller 76 pulses emission buffer one (1) 82 to right jus- m included in the partition element specifiers. This 

tify the content (by a number derived form emission results m ™ enhanced partition element with the new 

counter one (1) 78 and the emission fragment word 40 hole separating the element into two sections, the size of 

size). The contents of emission counter one (1) 78 and ^ sections determined by the section differential speci- 

emission buffer one (1) 82 are stored in the selected fication. This now yields two sets of fronts and tails, 

emission register (26-27) as count and fragment values. emitter controller alphabet would become {Fa, 

The contents of the modified work registers one (1) 67 Fac » Ta » Tac » F" 0 * ^ Tb, T*>c} so that much large 

and the internal registers) of path and substitution gen- 45 P ath tables are now possible while keeping the path list 

erator 74 are stored in the element descriptor (20-21) length still relatively short. 

selected by target register 44. Finally, emission control- Another partitioning extension would be to permit (at 

ler 76 returns control to holdback multiplexer 28 by least some) overlapping elements so that several base 

sending an emission refilled signal on emission bus 23. key bits are multiply emitted. Overlapping elements are 

The path picking specification is mapped by TABLE 50 useful for increasing the expansion ratio. A larger dy- 
III to 32 different substitutive paths. This scheme was namic range of partition elements also makes the keys- 
chosen for partition index compactness and for software tream more secure from base key extraction attacks, 
implementation performance in that this small finite set Another partitioning extension would be to employ a 
of paths can readily be hard coded for optimum logical base key defined using a logical mapping field 
throughput. A hardware implementation of path and 55 within a partition index. Here a partition would be 
substitution generator 74 could employ two linear shift carved on the logical base key. The logical mapping 
registers with direct feedback, one for the path and one field consists of 1024 (twice the number of elements to 
for the substitution generation. be carved) logical specifiers plus a logical permutation 

The path based amorphous partition method lends selector. The logical specifiers consist of a block size 

itself to innumerable extensions. Eg. the path and sub- 60 specification field and possibly a block hole specifica- 

stitution generator 74 could employ maximal length tion field. The blocks (excluding any hole bits) thus 

LSRs to generate the path and substitution bits. How- carved and permuted are then viewed as a contiguous 

ever, this has the drawback of requiring larger partition area, the logical base key. The elements subsequently 

indexes if each element uses independent LSR datum carved from the logical base key would then require 

and tap information. Though this ballooning of the 65 translations into the actual base key, or alternately, the 

partition index could be greatly reduced by using a logical base key could be created in memory and then 

single maximal length LSR (only 607 specification bits directly used. Using twice as many blocks as elements 

would be needed for the one investigated by Tootill, results in element emissions which typically span two 
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(or three) different areas in the base key, thus complicat- 
ing a correlation attack. 

Another class of partitioning extensions would be to 
employ feedback within a partition. A simple example is 
to include a trigger field within partition indexes to 
select how many amorphous bits are emitted before 
triggering. Once triggered, a fixed portion of the fol- 
lowing amorphous stream would be intercepted and 
buffered. These intercepted bits could be used to either 
replace or modify all or some portion of the current 
holdback values and master holdback values. 

One feedback configuration which is particularly 
attractive is to break the base key into two 32 KB areas. 
A first amorphous process using the first base key area 
is seeded with a partition index and generates a keys- 
tream as before. However, now, the keystream of the 
first is feed as partition indexes to an amorphous process 
using the second base key area. The resulting amor- 
phous streams from the second process are now output 



10 



15 



specification value with pointer register 91 also receiv- 
ing that value. The value of COUNT is stored in skipper 
count register 93 with skipper table 92 filled with con- 
secutive skipper values. Current skipper register 94 is 
initialized as zero and hence indexes the first skipper in 
skipper table 92. The value of NEXT is stored in delta 
register 95. The value of SIZE is stored (generically) in 
tap control register 108. Finally, the xor datum specifi- 
cation value is stored (generically) in LSR 106. 

Since a permutation is not used on dispersed ele- 
ments, partition extractor 18 sends element link infor- 
mation to holdback multiplexer 28 in the form a consec- 
utively linked elements. 

The operational details of (dispersed) emission gener- 
ator 22b of FIG. 4 are as follows. Upon receiving an 
emission refill request from holdback multiplexer 28 via 
emission bus 23 (and through emission counter two (2) 
100), dispersed emission controller 98 loads work regis- 
ters two (2) 96 with the contents of the element descrip- 



as the generated keystream, with no feedback in the 20 tor (20-21) selected by target register 44. Dispersed 

second process. substitution generator 107 is also loaded with values for 

The operational details of partition extractor 18 of LSR 106 and tap control register 108 from the selected 

FIG. 1 are now described for dispersed partitions based element descriptor. Dispersed emission controller 98 

on the skippers method. See also FIG. 4 for a depiction checks if delta register 95 is zero and if pointer register 

of the corresponding (dispersed) emission generator 25 91 is equal to start register 90, if so, the refill request is 



22b. Again, a 64 KB base key will be partitioned but 
here with a (dispersed) partition index 15 ranging from 
16,576 to 34,432 bits. Each partition index is composed 
of 64 dispersed element specifiers and a list of skippers 
with each skipper being a byte value. The list of skip- 
pers is further divided into 64 contiguous groups with 
each group linked to exactly one dispersed element 
specifier. The following table defines the format of the 
dispersed element specifiers which range in size from 59 
to 90 bits: 

TABLE IV 



30 
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FIELD NAME 



SIZE 



start point specification 19 bits 

skip cycles specification 5 bits 

next delta specification 5 bits 

master holdback specification 4 bits 

initial holdback specification 4 bits 

xor cycles specification S bits 

xor datum specification 17-48 bits 



40 



The start point specification selects the starting bit 
which is some bit in base key ram 12 (19 bits spans 64 
KB exactly). The skip cycles specification selects how 
many 1-byte skippers are in its group of skippers using 
the formula COUNT skip cycles specification +25, 
thus yielding 25 to 56 skippers. The next delta specifica- 
tion selects the number of bits to be added (formula is 
NEXT=next delta specification +1, hence NEXT 
ranges from 1 to 32) to the starting bit to generate an- 
other starting bit whose uses are yet to be described. 
The xor cycles specification selects the size of the fol- 
lowing field, the xor datum specification, using the 
formula SIZE=xor cycles specification +17. The xor 



terminated by sending to holdback multiplexer 28 an 
element exhausted signal. 

Dispersed emission controller 98 resets emission 
counter two (2) 100 to zero and then begins to generate 
emission bits. First, dispersed emission controller 98 
reads pointer register 91 to obtain the bit address in base 
key ram 12 for the next element bit which is sent along 
101 to XOR two (2) 104. Also, the substitution bit from 
LSR 106 is sent along 105 to XOR two (2) 104. The 
output of XOR two (2) 104 is an emission bit which is 
sent along 103 to emission buffer two (2) 102. Emission 
buffer two (2) 102 is pulsed via clock 97 and the emis- 
sion bit is loaded. 

Dispersed emission controller 98 advances the state 
of dispersed substitution generator 107 by pulsing LSR 
106. 

Dispersed emission controller 98 advances pointer 
register 91 as follows. Current skipper register 94 is read 
with the value used to index a skipper in skipper table 
45 92. The selected skipper is read from skipper table 92 
with this value plus one added to pointer register 91. 
(Pointer register 91 is 19 bits wide. Hence, an advance- 
ment overflow wraps the address to the beginning of 
base key ram 12.) 

If the new pointer register 91 value crossed (or is 
equal to) the starting bit as selected by start register 90, 
dispersed emission controller 98 detects that the sub- 
emission is exhausted. If delta register 95 is also zero, 
then the entire element emission is exhausted and 
pointer register 91 is filled with the contents of start 
register 90 to flag this condition. If the sub-emission is 
exhausted but delta register 95 is non-zero, the second 
sub-emission is begun by adding the contents of delta 
register 95 to start register 90 with the sum stored in 



50 



55 



datum specification is used to modify the bit stream 

defined by the starting bit and skippers. The master 60 pointer register 91, delta register 95 is then zeroed to 



holdback specification and initial holdback specification 
are used to generate the initial values for storage in 
holdback register one (1) 24 through holdback register 
N 25, as before. 

Partition extractor 18 evaluates values for element 
descriptor one (1) 20 through element descriptor N 21 
(N=64) as follows. Start register 90 (shown generically 
in work registers two (2) 96) is filled with the start point 



65 



flag the beginning of the second sub-emission. 

Dispersed emission controller 98 advances current 
skipper register 94 by incrementing it once. If the new 
value is equal to the contents of skipper counter register 
93, zero is stored in current skipper register 94 to wrap 
the indexing to the start of skipper table 92. 

Dispersed emission controller 98 pulses emission 
counter two (2) 100 to accrue for the loaded emission 
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bit If emission buffer two (2) 102 is full (detected by ing. And if a substitution-permutation encoder is used, 
checking the contents of emission counter two (2) 100) 57 KB would encode at least 128 1024-bit frames (5,248 
or if an emission exhausted was detected, the emission bytes) before repeating; and since this keystream wOl 
generation terminates, else, another emission bit is gen- almost always not divide exactly the length needed to 
crated. 5 encode one frame (1 1,272 bits), the actual cycle length 

Upon emission generation termination, dispersed of frame encodings will generally be many (depending 
emission controller 98 pulses emission buffer two (2) on the gcd) multiples of the approximate 128 frame 
102 to right justify the content (by a number derived blocks. 

form emission counter two (2) 100 and the emission Of course cyclic prevention is easily accomplished by 
fragment word size). The contents of emission counter 10 maintaining a list of the partition indexes used. If a parti- 
two (2) 100 and emission buffer two (2) 102 are stored in tion index is generated which is already in the list, this 
the selected emission register (26-27) as count and frag- index is simply replaced with another index which is 
ment values. The contents of the modified work regis- chosen as different from all previous indexes. Alter- 
ters two (2) 96 and the contents of LSR 106 (tap control nately, cyclic behavior could be limited by maintaining 
register 108 is never modified) are stored in the element IS only a partial list of partition indexes (the first 100 say) 
descriptor (20-21) selected by target register 44. Fi- and/or saving only a portion of each partition index 
nally, dispersed emission controller 98 returns control (the first 64 bits say). 

to holdback multiplexer 28 by sending an emission re- Another objective of the present invention is to pro- 
filled signal on emission bus 23. vide a scheme for message key explosion. Since encod- 

Since each skipper is a byte value, each skipper has a 20 ing messages with 3 KB partition indexes would be 
mean value of 128 so that the mean length of dispersed burdensome, a method for expanding a much smaller 
element emissions is (64 KB/128)*2= 1 KB. With 64 message key into a larger partition index is very desk- 
elements, an amorphous stream of mean length 64 KB is able. The preferred method will expand a 64-bit mes- 
generated. Dispersed partition indexes have mean sage key into a 3 KB partition index using a non-linear 
length of 3,188 bytes so that this version of the dispersed 25 process which is dependent on the base key. But the 
amorphous process would generate about 61 KB of method is readily adaptable to explode, say, a 80-bit 
keystream per partition. message key if the later was deemed more appropriate. 

While a permutation of the dispersed elements is The exploding method to be described is very sensitive 
superfluous because the starting point specifications are and should approach or even satisfy the "Strict Ava- 
already random, the dispersed amorphous process can 30 lanche Criterion" SAC of Webster and Tavares. They 
be extended in many non-trivially ways. (Initial xor write "If a function is to satisfy the strict avalanche 
datum position, initial skipper byte, and initial bit emit- criterion, then each of its output bits should change 
ted specifications are also superfluous.) E.g., a delta with a probability of one half whenever a single input 
element count in the partition index could be used to bit x is complemented to x~." (Reference: A.F. Web- 
select the number of dispersed elements within some 35 ster and S.E. Tavares, "On the Design of S-Boxes", 
range. Multiple next delta specifications could be used Advances in Cryptology: CRYPTO 85 proceedings", 
so that more than two sub-emissions are used in generat- Springer, 1 986.) 

ing the dispersed element emissions. Seven other sets of The operational details of message key exploder 132 
skippers could be generated by a series of rotations of FIG. 5 are now described. For generality, message 
within each skippers group (with an eighth rotation 40 key exploder 132 uses an additional 19-bit parameter 
restoring the skippers group to its original values), thus called an encryptive explosion pointer, although a fixed 
yielding seven times more amorphous bits. Of course, value of 0 would have sufficed. Encryptive explosion 
dispersed substitution generator 107 could employ a pointer 111 is stored in bit address register one (1) 122 
more complex design using similar means as noted via bus 123. Exploder controller 116 loads 64-bit mes- 
above for path and substitution generator 74. 45 sage key 113 into plain text ram 114 and then makes 15 

The dispersed amorphous process is less desirable additional copies of the message key so that the leading 
than the path-based amorphous process with respects to 1024 bits in plain text ram 114 are filled, 
base key bandwidth usage. In the former, each access to Exploder controller 116 sends the first 64 bits of plain 
the base key will typically yield only one amorphous text ram 114 along bus 115 to CRC 118. CRC 118 per- 
stream bit, while in the latter it would be practical to 50 forms a 16-bit cyclic redundancy code operation on the 
utilize (on average) about half of the base key word read incoming plain text bits with the result stored in multi- 
(8 or more bits) during the generation process. plicand register 120. Streamer 124 then forms a bit 

One problem with the expanding amorphous process stream by successively incrementing bit address register 
method is that it could exhibit cyclic behavior, but this one (1) 122 and sends the selected base key bits (fetched 
should be very rare. Cyclic behavior is rare because the 55 via base key bus 35) along 127 to CEM one (1) 134. (Bit 
mapping of partition indexes to partition indexes will be address register one (1) is 19 bits wide so an increment 
uniformly random provided a random base key is used, overflow wraps to the start of base key ram 12 since 19 
preferably a base key in which each bit is an indepen- bits spans 64 KB exactly.) 

dent random value of uniform distribution. Since parti- CEM one (1) 134 receives a multiplier (i.e. the bit- 
tion indexes are huge (about 3 KB) and the number of 60 stream on 127) and a multiplicand from multiplicand 
partition indexes generated during an encoding session register 120 along 119 and performs a coarse encoder 
is small (about 200 for a 1 MB message), the probability . multiplication with the product stored in holding regis- 
that a cycle will develop is almost zero so that this case ter 112 by sending the product bits generated along 121. 
could be safely ignored. (It would take the generation of CEM one (1) 134 operates by forming a sequence of 
about 2 24576 /2= 2 12288 partition indexes before a "birth- 65 nineteen position value and XOR datum bit pairs from 
day surprise" partition collision would occur with prob- the multiplier. Each position value has 4 bits so a total of 
ability J.) Note that even the worst case of a fixed point ninety-five bits from streamer 124 is required. Each 
still generates about 57 KB of keystream before repeat- position value selects some bit in 16-bit multiplicand 



04/30/2004, EAST version: 1.4.1 



5,297,207 

29 30 

register 120 (4 bits spans 16 bits exactly). A sequence of process is to carve a 4 KB byte key area mto 32 ele- 
nineteen product bits are successively generated ments using 43-bit partition clement specifiers, 
through successive modulo-2 addition of a XOR datum Again, amorphous keystream 31 received from sec- 
bit with a bit in the multiplicand selected by the corre- ond amorphous process is stored in expansion ram 130. 
spending position value. 5 The keystream received is sufficiently long by construc- 

The contents of holding register 112 is send along 123 tion. The contents of expansion ram 130 thus generated 
and stored in bit address register one (1) 122. With the is defined as the (exploded) partition index, 
new bit address, streamer 124 generates a bitstream sent The key extension method (the expanding amorphous 
along 1^ to encoder 126. Encoder 126 forms cipher process) can be viewed from one vantage point which 
text by encoding the first 1024 bits from plain text ram 10 should be noted: the (path picking) amorphous process 
114 using the bitstream from stream 124 as the key. The is an encoder which uses a very large frame size but 
key is composed of 10,245 bits. Encoder 126 uses the only a small set of the possible permutations and XOR- 
first 1024 bits of the key as XOR datum which is added ings. Thus encryption could be achieved by using the 
bitwise modulo-2 to the leading 1024 bits in plain text plain text as a base key, and using the encryption key as 
ram 114. Encoder 126 uses the remaining key bits as a 15 the partition index, with the cipher text being the result- 
permutation selector which specifies the permutation ing amorphous stream. Obviously the partitions here 
that encoder 126 performs on the XORed bits in plain must not employ holes nor truncations, and further, the 
text ram 114. Exploder controller 116 then routes the carving of elements must insure that all bits are spanned. 
1024 bit cipher text from encoder 126 along 135 to bus it is preferred that the XORing be separated from the 
switch one (1) 128 for storage in expansion ram 130 20 path picking as was done in the dispersed amorphous 
along 131. The cipher text is defined as a first amor- process. Further, the XOR datum should be white noise 
phous seed. so that the plain text is whitened. 

Exploder controller 116 sends the initial 561 bits of This amorphous encoder has the drawback that 

expansion ram 130 (ie. first amorphous seed) through larger and larger plain text messages would require 

bus switch one (1) 128 as partition index 15 to expanding 25 larger and larger encryption keys, with even relatively 

amorphous process keystream generator 32 of FIG. 1. small files requiring keys of excessive length. E.g. a 64 

Exploder controller 116 then receives from expansion KB message would require an encryption key of about 

ram 130 (through bus switch one (1) 128 along 131 & 5 KB, assuming that each partition element specifier 

133) the next 19 bits of the first amorphous seed (the includes an xor datum specification with a mean length 

remaining bits are discarded). Exploder controller 116 30 of 40 bits. A way around non-uniform key lengths 

forms a partition descriptor using the 1 9 bits received to would be to employ a cryptographically secure random 

select a 256 byte area within base key ram 12. This number generator (e.g. the contracted randoms method 

descriptor is sent as partition descriptor 13 to expanding of the present invention) and use its keystream as the 

amorphous process keystream generator 32. The rough partition index for the amorphous encoding, 

format of the first expanding (path-picking) amorphous 35 Another drawback is that a very small partition is 

process is to carve the selected 256 byte key area into 16 undesirable while a very large partition is impractical 

elements using 30-bit partition element specifiers. from an efficiency standpoint, thus suggesting that small 

Once initialized, expanding amorphous process keys- partitions should be encoded with a full permutation 

tream generator 32 passes the entire amorphous stream and XORing while larger partitions are broken up into 

33 through stream router 30 and is received by bus 40 more manageable sizes which are then individually 

switch one (1) 128 as keystream 31. Exploder controller partitioned. The amorphous encoder does make a trade- 

116 routes keystream 31 for storage in expansion ram off of security for speed, but would be a good choice for 

130 as a second amorphous seed. software only systems where a relaxed security is ac- 

Similarly, though now based second amorphous seed, ceptable. 

exploder controller 116 sends a 1,557 bit partition index 45 To be more concrete, consider amorphous encoding 

15 and a partition descriptor 13 to expanding amor- for messages from 32 bytes to 64 KB. The following 

phous process keystream generator 32. The rough for- schedule table illustrates the parameters used to form a 

mat of the second expanding (path-picking) amorphous partition descriptor 13 for various message sizes. 



TABLE V 



FRAME 


ELEMENT 




PARTITION 








SIZE 


SIZE 


ELEMENT 


INDEX SIZE 


PARTITION SI 


>ECIFICATION 


(bytes)" 


(bits) 


COUNT 


(mean bits) 


VECTOR (bits) 




32 


32 


8 


229 


5 


5 2 ; 


i 2 2 8.5 


64 


64 


8 


317 


6 


6 2 : 


I 2 3 16.5 


128 


64 


16 


649 


6 


6 2 ; 


i 2 3 16.5 


256 


128 


16 


953 


7 


7 2 ; 


I 2 4 32.5 


512 


128 


32 


1,937 


7 


7 2 ; 


I 2 4 32.5 


1024 


256 


32 


3,057 


8 


8 2 


I 2 5 64.5 


2048 


256 


64 


6,305 


8 


8 2 


3 3 5 64.5 


4096 


512 


64 


6,497 


9 


9 3 


J 3 5 64.5 


8192 


512 


128 


13,505 


9 


9 4 


4 4 5 64.5 


16,384 


1024 


128 


22,031 


10 


10 4 


4 4 6 128.5 


32,768 


1024 


256 


44,415 


10 


10 4 


4 4 6 128.5 


65.536 


1024 


512 


89.345 


10 


10 4 


4 4 6 128.5 
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TABLE V-continued 



FRAME 
SIZE 
(bytes) 



ELEMENT 
SIZE 
(bits) 



ELEMENT 
COUNT 



PARTITION 
INDEX SIZE 
(mean bits) 



PARTITION SPECIFICATION 
VECTOR (bits) 



size sp eci fi c ation 
initial hem specification 
path picking specification 
master hlodback specification 
initial holdback specification 
xor cycles specification 
aor datum s pecific a tio n (mean) 



As an example on how the above schedule table is 
utilized, consider the case when exactly 150 bytes of 15 
plain text is to be encoded. This value selects the entry 
with 128 bytes. Thus, 16 elements should be used for the 
partition with a mean element size of 75 bits= 150 B/16. 
The xor cycles specification (a 3 bit value ranging from 
0 to 7) is added to 13 so that the xor datum specification 20 
ranges from 13 to 20 bits. 

Another (minor) objective of the invention is to pro- 
vide for message key hiding by embedding the message 
key in the leading portion of the cipher text. This is 
mentioned in passing primarily to illustrate another use 25 
of amorphously generated bits and to exploit the large 
existing base key. To be concrete, consider a leading 
ciper text area of 4096 bits and a message key of 64 bits. 
Briefly, a small embedding index, say 32-bits, could be 
expanded by a CEM (coarse encoder multiplier) to- 30 
getber with a base key stream using a fixed starting 
address. The product formed could then be interpreted 
as a starting address in the base key and a dispersed 
specifier comprised of a plurality of skipper and xor 
datum pairs. Through a simple dispersed amorphous 35 
process, the starting address and dispersed specifier ' 
would yield an amorphous stream. 

The amorphous stream is parsed to form 64 pairs of 
an 1-bit operand bit and a 12-bit position index. Message 
bits are successively XORed with successive operand 40 
bits with these sum bits inserted into the cipher text 
work area at points selected by the associated position 
index. The resulting 4160 bits of modified cipher text, 
plus the embedding index, form the new leading portion 
of the cipher text. 45 

The contracted randoms method of generating a 
keystream is now described as illustrated by contraction 
amorphous process keystream generator 158 of FIG. 6. 
For concreteness, assume that a frame size of 1024 bits 
is employed. Seed 141 is sent to random number genera- 50 
tor 140 which is some pseudo-random number genera- 
tion means, e.g. a maximal length LSR or a congniential 
multiplier. The random numbers from random number 
generator 140 are sent along 143 to contraction control- 
ler 142. From the incoming random numbers, contrac- 
tion controller 142 first forms a permutation selector (of 
size 9233 bits) sent along 148 to permutator 154. Permu- 
tation selection 148 is resolved by permutator 154 into a 
permutation defined by a finite sequence of 1024 per- 
muted indexes which are successively sent along 153 to 
segmented shift register 156. 

Contraction controller 142 next forms 1024 bit pairs 
which are successively sent along 145 to XOR three (3) 
144. The 1024 datum bits formed by XOR three (3) 144 
are successively sent along 157 to segmented shift regis- 
ter 156. Each datum bit is stored in segmented shift 
register 156 at the bit location specified by a corre- 
sponding permuted index from permutator 154. After 



1024 datum bits are thus stored, segmented shift register 
156 is filled. 

Next, contraction controller 142 forms three hundred 
deleters with each deletor selecting some bit in seg- 
mented shift register 156. The deletors are successively 
sent along 155 to segmented shift register 156 wherein 
each received deletor evokes the deletion of a selected 
bit by recovering the selected bit position through shift- 
ing the remaining bits. Each deletor is successively 
formed from a 10-bit value parsed from random number 
stream 143. Each 10-bit value is formed into a deletor by 
bounding the value with a modulus which is succes- 
sively decremented so that each deletor selects an exist- 
ing bit in segmented shift register 156. 

Similarly, contraction controller 142 forms three 
hundred bit pairs and also three hundred creators with 
each creator selecting some bit position in segmented 
shift register 156. The bit pairs are successively sent 
along 145 to XOR three (3) 144 from which an addi- 
tional three hundred datum bits are formed. The datum 
bits are successively sent along 157 for insertion into 
segmented shift register 156. The creators are succes- 
sively sent along 155 to segmented shift register 156 
wherein each received creator evokes the insertion of 
an associated datum bit by freeing the selected bit posi- 
tion through shifting the remaining bits and then storing 
the datum bit at the free position. Each creator is suc- 
cessively formed from a 10-bit value parsed from ran- 
dom number stream 143. Each 10-bit value is formed 
into a creator by bounding the value with a modulus 
which is successively incremented so that each creator 
selects an existing bit position in segmented shift regis- 
ter 156. 

Upon completion of operations (permuted filling, 
deletions, then creations), the contents of the segmented 
shift register 156 is output along 156 as a keystream 
fragment This sequence of operations is repeated using 
addition random numbers from random number genera- 
tor 140 resulting in a plurality of keystream fragments, 
whose totality is defined as the keystream. (A minor 
performance consideration, particularly for software 
implementations of very large frame sizes. Instead of 
performing the deletions (or creations) sequentially, it 
would be faster to extract a sorted list of the deletors 
(and creators) so that only one pass of bit shifting would 
be required.) 

The operational details of permutator 154 in FIG. 6 
are described next. A permutation selector is applied to 
index extractor 146 along 148. Index extractor 146 sig- 
nals permutation controller 150 through 149 that a se- 
lector has been received. Permutation controller 150 
initializes permutation buffer 152 by successively filling 
the (1024 10-bit) registers therein with the consecutive 
integers starting with zero, Le with the integers 0 
through 1023, wherein these index values span the bit 
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positions within segmented shift register 156 exactly. 174 via clock 181 to advance the state of that simple 
Permutation controller 150 then stores the value of 1023 LSR, wherein NOT 176 complements output 175 to 
along 151 into slot counter 148 so that this counter form a signal at 177 which is shifted into direction regis- 
addresses the last register in permutation buffer 152. ter 174 as the output is shifted out 

The received permutation selector is resolved by 5 Upon outputting a transposition index, index control- 
index extractor 146 into 1023 transposition indexes ler 166 pulses span counter 170 via 179 in order to dec- 
which are successively sent along 149 to permutation rem en t it This process continues until all of the shuffle 
controller 150. Permutation controller 150 converts indexes are transformed into transposition indexes, 
each transposition index into a permuted index by out- Although described for a frame size of 1024 bits, 
putting the contents of the permutation buffer 152 regis- 10 index extractor 146 would work for any frame size (as 
ter selected by the transposition index through per- would permutator 154) but is particularly efficient 
muted index bus 153. After outputting a permuted in- when the frame size is some power of 2. This index 
dex, permutation controller 150 reads slot counter 148 extractor requires neither division nor multiplications, 
via 151 to obtain an address selecting a register in per- m £ only requires a permutation selector slightly larger 
mutation buffer 152 which is read via 153, the contents 15 fa e "division" variant In fact from induction it can 
of which are stored in the permutation bufTer 152 regis- ^ re^iiy shown that SIZE(permutation selec- 
ter selected by the transposition index. tor)= 1 +(N*M) bits where N=2*2^. 

Upon processing a transposition index, permutation Index \A6 generates transposition indexes 

controller 150 pulses slot counter 148 which is then which m ncarly distributed. Note that if the 

decremented. Permuted indexes are formed until slot 20 shufnc mdcxcs werc bounded, the bias intro- 

counter 148 reaches zero, which is detected by permu- duced by moc mius bounding would be a positive bias 
tation controller 150 which then reads the first register for thc leadin values of ^5^0,, mdcxeSi j. e . 0f 1, 
in permutation buffer 152 and outputs its contents as a ^ etc However, the leading values which are doubly 
final permuted index. mapped grows (one element per suge) until all but one 

The operational dctads of (hashed division) mdex 25 m *%J£ mapped, and then selector parser 160 ad- 
?^ C A°L 146, " dCP - CtCd ? I 7 G '- 7 ' T T vances to the next wave (with one less bit in the shuffle 

A 92334* ^«^^ indexes) and the doubly mapped list is reset to one ele- 

parser 160 along 148. The first 16-bits of received per- ' reflectmg Ae doubly mapped items 

mutation selector are sent by selector parse, -MB I as a ^ ^ ^ ^ * ^ bias 

direction value along 161 and stored in direction regis- 30 . . * . . . . . . . x '..',„ j ic 

ter 174. Index controller 166 then stores the value of ^ ™ th * e JTT^^^E? S 
1024 (i.e. the number of bits to permute) along 179 into ™ th the 0Ut P u « ^J&^XZ^ 

an ^mjter 170 Better dispersion could be obtained by reflecting 

From the remaining 9217 permutation selector bits. towards the middle of the interval half of the time, U. 
selector parser 160 successively forms 1023 shuffle in- 35 b y spreading the founded value ou by mappmgthe odd 
dexes byusing the minimal number of bits needed to ■ values *> n « h * the even t0 * e ! cft of ^ 
span the maximum value for the transposition index to Jtervaft center; but in many apphcations this improved 
be derived from that shuffle index. Specifically, 512 distribution would not merit the additional complexity. 
10-bit shuffle indexes are formed, then 256 9-bit shuffle ° r course, even more complex reflections could be 
indexes are formed, and so on. (Actually, all shuffle 40 employed to obtain even smooth^ d^tnbuuons. 
indexes are 10 bits long. A 9-bit index is padded with a . Direction register 174 and NOT 176 function as a 
leading zero to form a full sized shuffle index, and so lmcar shift register. It is initialized with independent 
on ) data for each permutation to resolve. Alternately, this 

Index controller 166 transforms each shuffle index LSR could be initialized once and used to form all sub- 
into a transposition index which is output at 149 by the 45 sequent permutations, thus minimizing the need for 
following process. A shuffle index from selector parser keystream. Then, use of a more complex linear shift 
160 is sent along 163 and stored in shuffle register 162. register of very large period would be an attractive yet 
The contents of span counter 170 are sent along 171 and simple enhancement Of course, the linear shift register 
subtracted from the contents of shuffle register 162 sent section could reuse a portion of the partition selector or 
along 165 by subtracter one (1) 164. Index controller 50 use pre-defined values and thus eliminate the need for 
167 receives borrow 167 from subtracter one (1) 164 any additional bits. (To simplify mdex controller 166, 
and outputs the contents of shuffle register 162 received direction register 174 could always be advanced once 
along, 165 as the transposition index provided that bor- for each transposition index formed regardless of 
row 167 is active (i.e provided shuffle index <span whether a selection is required.) 
counter). 55 To increase the contracting ratio of the amorphous 

Whenever borrow 167 is inactive, the contents of process of FIG. 6, permutator 154 could use an index 
span counter 170 received along 171 by decrementor extractor 146 which employs "multiplication" instead 
172 are used to form a decremented value at 173. Result of "hashed division". Here, each "shuffle index" would 
169 from subtracter one (1) is subtracted from decre- be interpreted as a real value between zero and one. 
mented value 173 by subtracter two (2) 168 to form a 60 Transposition indexes would be formed by scaling each 
result sent to index controller 166 along 185. Then index shuffle index through a multiplication with the span 
controller 166 outputs as the transposition index either counter contents. Since more and more bits could be 
result 169 received from subtracter one (1) 164 or result used to form each shuffle index, any ratio of contraction 
185 received from subtracter two (2) 168; the selection desired is possible. To overcome the predominance of 
made is dependent on the output of direction register 65 the leading bits, shuffle indexes could be formed by 
174 received along 175, say a zero selects the former XORing together two or more portions parsed from the 
result and a one selects the later. Upon selecting one of permutation selector. This technique could also be used 
the results, index controller 166 pulses direction register with the "hashed division" index extractor of FIG. 7. 
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A similar increase in the contraction ratio could be Such a scheme would be practical for a host system 

achieved by using more than two bits when forming which must manage potentially millions of base keys, 

datum bits with XOR three (3) 144. This substitutive For example consider the implications of using these 

component can be made arbitrarily dense, thus again methods for electronic funds transfer. A 64 KB key can 

lending to any contraction ratio desired. 5 easily be stored on a $5 EEPROM. A card with an 

Another mechanism which increases the contraction EEPROM plus a microprocessor and support logic 
ratio while adding more amorphousness is staggering, could be housed as a low cost "smart card" for transac- 
ts dynamic field sizing. Staggering could be used for tion purposes such as checking accounts, credit cards, 
both XOR datum and transposition index generation. or even governmental currency. The above methods for 
An example for staggered field generation is as follows. 10 generating base keys eliminates the need for massive 
The parser takes 2 bits from the incoming stream, the storage while the storage of large 64 KB keys at the 
stagor, and forms the value COUNT= 3+ stagor where level » o^te practical. The amorphous generation 
stagor ranges from 0 to 3. The parser then outputs the of base kevs woul£i effectively hide the method so 
next COUNT bits as the field, which here range from 3 *»t cven ™ opponent with knowledge of all the base 
to 6 bits. Thus, a parsed stream of stagor and field pairs 15 kevs m would stU1 not M * to generate any other 
would look as follows: 01 1001 00 101 1 1 100101 00 1 10. possible °*se keys- 

A very simple yet very important keystream genera- . ^ ™ c ^*™^°* of generating a keystream 

tion configuration results from combining the key ex- 15 now descnbed ' ? if dc P lcts state machine keys- 

tension method and the contracted randoms method by „ generator 220 and illustrates the basic operations 

using the keystream from the former to feed the later. 20 of Wl *°* °{ **. 

Specifically; this "amorphous teeter-totter" could be mac , hme method will be described with a particular 

implemented by replacing the random number 140 of PP ™«™°n- The particular functional detaus were 

FIG. 6 with keystream 3? from the expanding process ™f* em ?^ m /°* ware * e aw**** 

of FIG. 1 wherein keystream 159 is usVd as the actual M Jf*. 5ti f t,ca, t T * * 

, . J . . . 25 this implementation. 

keystream The equ.vocat.on resultoig from even a A key is first applied to state machine keystream 

smaU contractton ratio of say 5 (Le. 5 bits to encode 1 ^ 2M fc ^ o{two p ms: a 

bit, thus requiring 6 bits to ortput 1 bit) would hide 64-bit machine index which is storedinmachine register 

keystream 31 to the extent that keystream 159 is for all 19Q ^ a ^ ^ which h u ^ 

practical purposes suitable for use m a one-time pad. 3Q re - ster ^ 

The amorphous teeter-totter is functionally similar to Be ral outline ^ to derive from machine register 

moving the transposition component of the encoder to m ^ state register m through a non-linear (amor- 

the keystream generation point However, a contract- hous) process a new value for state register m ^ 

ing amorphous process can include annihilation (dele- ^ ^ output value t0 ^ ^ t0 form the keystream. 

tions) and creations thus making the amorphous teeter- 35 transition after transition, a next state variable is 

totter more flexible. Alternatively, an amorphous teet- produced along with an output value. This transition 

er-totter could be employ two expanding amorphous process is broken into seven steps as described below, 

processes, wherein the contraction of the later results ^ step of ^ transition is to fill (the 1024 

by reducing successive base key and partition index byte ) dependency table ram 204 using the output from 

pairs from the former into amorphous streams. 40 random generator 194 which is seeded from both ma- 

The contracted randoms method is not as efficient as cn j ne register 190 and state register 192. 
the key extension method, making keystream genera- F IG. 9 depicts random generator 194 which operates 
tion based on contracted randoms less attractive for m tne following manner. Random controller 222 re- 
encoding. However, the contracted randoms method is ceives along state bus 193 the first 32 bits of machine 
an attractive means for generating keys for use by the 45 register 190 and the first 32 bits of state register 192, 
key extension method. Then only a small key kernel, say wn ich are XORed together (with the least significant 
40 bytes, needs to be stored and generated, possibly by bit then set to one) to form a first seed value which is 
a truly random process. This key kernel is expanded to sent along 223 and stored in 32-bit seed register 226. 
its 64 KB form only when needed. In large computer Random controller 222 advances seed register 226 by 
systems, high speed circuitry with possibly multiple RN 50 first sending its contents along 223 to multiplier 224. 
generators could be employed for rapid key kernel Multiplier 224 forms a product by multiplier together 
expansion even if a highly contractive amorphous pro- received seed value and a fixed value of 663608941 with 
cess was used. the upper 32 bits of the product discarded. (This multi- 

AJternatively, a key kernel in the form of a message plication forms a congruential multiplier, denoted as 

key could be used to generate the base keys needed by 55 U13 in The Handbook of Random Number Generation 

the key extension method. Here, say a 48-bit key kernel and Testing.) Multiplier 224 sends the lower 32 bits of 

(message key) together with a 1 MB generator base key the product along 223 and is stored back in seed register 

could be used to form 64 KB work keys by message key 226. 

explosion and key extension using the generator base As a momentary aside in the explanation of the pre- 

key. 60 ferred embodiment of the present invention, the use of a 

The preceding two base key generation methods congruential multiplier may seem strange. Namely, a 

could be combined in various ways. E.g., a key kernel whole goal of the present invention is to escape from a 

could be expanded into a 70 KB item plus seeding infor- composite random number generator design entirely, 

mation for a contracting amorphous process using The reason that a congruential multiplier is used is to 

pseudo random number generators). The output from 65 reduce the possibility of fixed points. If a dispersed 

the contracting process could then be used to form expanding process were to be applied directly to the 

deleters, which are applied to the 70 KB item to reduce machine index and state variable as input, these input 

it to a 64 KB base key. values would have to be random to produce a random 
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output for the dependency table. It happens that, if both 
the machine index and state variable were zero, the 
dependency table, the next state variable, and the out- 
put value would all also be zero! Thus, a source of ran- 
dom numbers is needed which can supply random num- 
bers that are then amorphously contracted to form a 
dependency table. Statistical tests, included in Appen- 
dix 3, have been run on the state machine in accordance 
with the present invention. The suitability of a congru- 



from dependency table ram 204 based on a starting 
address received on index bus 203. (Streaming CEM 
196 operates identically to CEM one (1) 134, streamer 
124, and bit address register one (1) 122 of FIG. 5.) 
Transition controller 202 sends along 203 a starting 
address of zero to streaming CEM 196. The contents of 
machine register 190 and state register 192 (effectively 
concatenated together) are sent along 193 and routed 
through bus switch two (2) 198 along 197 to provide 



ential multiplier for its random number generation func- 10 streaming CEM 196 with a 128-bit multiplicand. The 
' c " J product (here formed using 7-bit position values and 1 

bit XOR datum values parsed from the multiplier 
stream of dependency bits) is sent along 199 to bus 
switch two (2) 198 and routed along garbage bus 201 for 
storage in garbage index ram 200. 

Garbage index ram 200 is decomposed by transition 
controller into fields which are used by the subsequent 
steps. The following table shows this decomposition: 

TABLE VI 



15 



tion has been verified. 

Continuing in FIG. 9, random controller 222 fills 32 
byte key table 236 by storing the upper 16 bits of seed 
register 226 along 225 into the first two bytes of key 
table 236. By the method just described above, multi- 
plier 224 is repetitively used to advance seed register 
226, with each advancement yielding another two bytes 
for storage in successive location in key table 236. A 
total of 16 cycles are needed to fill key table 236. 

Next, random controller 222 receives along state bus 20 
193 the second 32 bits of machine register 190 and the 
second 32 bits of state register 192, which are XORed 
together (with the least significant bit then set to one) to 
form a second seed value which is stored in seed register 
226. Random controller 222 then sends the value zero 25 
along 227 for storage in selection register 230 which, 
thus initialized, selects the first bit in key table 236. 

Random controller 222 then forms a sequence of 8192 
amorphous bits which are concatenated (say 32 bits at a 
time) by collection register 234 with these (concate- 
nated) random outputs successively sent along 195 for 
storage in 1024 byte dependency table ram 204. The 
formation of amorphous bits (using a dispersed amor- 
phous process) is as follows. 



FIELD NAME 



SIZE 



global dependency index 


13 bits 


packed function indexes 


7S4 bits: 16 49-bit items 


(byte alignment: not used) 


3 bits 


nibble, penn selector 


128 bits 


accumulation index 


8 bits 


permutation selector 


49 bits 


state emitter index 


13 bits 


output emitter index 


13 bits 


(excess: not used) 


13 bits 
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The third step is to fill 32 byte function table ram 210. 
This is accomplished by 16 stages of successively ex- 
panding a 49-bit packed function index by means of 



unpacker 206 to form a 57-bit function index which is 
Random controller 222 advances seed register 226 as 35 ^ to eva Iuator 208 which produces a 16-bit value for 



described above via multiplier 224. The contents of seed 
register 226 are then sent along 223 and stored in 32-bit 
parsing register 228. Parsing register 228 is pulsed by 
random controller 222 resulting in the four least signifi- 
cant bits being discarded. The remaining 28 bits are 40 
successively parsed into seven pairs with each pair con- 
taining a 3-bit skipper and a 1-bit XOR datum bit. Each 
of the seven pairs is used to form one amorphous bit 
After forming seven amorphous bits, the process re- 

peats by first advancing seed register 226, and then so 45 ^^^Z^f^gWa anTiT£o7ed 'm7it°ad 

° n To transform a said pair into an amorphous bit, ran- dress register two (2)242 witlm, unpacter^. Unpack- 

* „ v , A . r «. . . ine streamer 240 forms an unpacking stream at 241 by 

dom controller 222 request the next three bits (the skip- * ~T. Jj * „ t . . M _ 

x _ T* „_ . , - . , , . outouttine successive bits of dependency table ram 204 

per) from parsing register 228 with this value (ranging p 6 *^ J - 

from 0 to 7) added to the contents of selection register 50 
230. (Selection register 230 is 8 bits wide so an overflow 
will wrap to the staring address in key table 236.) The 
new contents of selection register 230 are used to ad- 
dress a bit in key table 236 which is received by random 
controller 222 along 225 and sent to XOR four (4) 232 55 
along 229. Random controller 222 then receives from 
parsing register 228 the next bit therein with this value 
(the XOR datum bit) also sent along 229 to XOR four 
(4) 232. The output of XOR four (4) 232 is an amor- _ 
phous bit which is sent along 231 for storage in collec- 60 insertible shift register 246, and increments this quan 
tion register 234. Random controller 222 then incre- tity, to form a value (ranging from 1 to 8) which is sent 
ments the contents of selection register 230, and contin- along 245 and stored in dispersed counter register one 
ues until enough bits are generated. (1) 252. Unpacking controller 244 takes the 2nd through 

After filling dependency table ram 204, the second 49th bits of insertible shift register 245 and sends this 
step is to fill 1024-bit garbage index ram 200 using 65 48-bit value along 245 for storage in insert list 248. 
streaming CEM 196. Streaming CEM 196 (a coarse Then, unpacking controller 244 initializes current pair 
encoder multiplier) operates by forming product 199 register one (1) 250 with a value of zero to select the 
from multiplicand 197 using a multiplier stream derived first pair in dispersed descriptor one (1) 254. 



storage in function table ram 210. After all 16 packed 
function indexes are thus processed, function table ram 
210 FIG. 10 depicts unpacker 206 which operates in the 
following is filled. 

FIG. 10 depicts unpacket 206 which operates in the 
following manner in order to insert eight bits generated 
by a dispersed amorphous process into a packed func- 
tion index to expand it Transition controller sends the 
13-bit global dependency index decomposed from gar- 



(received along dependency bus 195) selected by bit 
address register two (2) 242. (Note that 13-bits address 
each bit in 1024 bytes exactly.) The unpacking stream is 
sent along 241 to unpacking controller 244, and is used 
continuously to expand all 16 of the packed function 
indexes. 

At each unpacking stage, transition controller 202 
sends the next 49-bit packed function index along 203 
with this index stored in insertible shift register 246. 
Unpacking controller 244 takes the first three bits of 
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Unpacking controller 244 receives unpacking stream 
241 and from consecutive unpacking bits forms pair(s) 
of a 1-bit XOR datum and a 3-bit skipper. Each pair is 
successively sent along 245 for storage in dispersed 
descriptor one (1) 254 with dispersed count register one 5 
(1) 252 specifying the number of such pairs to form. E.g. 
if three pairs are specified and the unpacking stream is 
011010100100, dispersed descriptor one (1) 254 is filled 
as follows: 

TABLE VII 10 



IS 



XOR DATUM 


SKIPPER 


0 


110(6) 


1 


010 (2) 


0 


100(4) 



Unpacking controller 244 successively forms eight 
creature bits by the following dispersed amorphous 
process. The bit from dependency table ram 204 se- 
lected by bit address register two (2) 242 is received „ , - ^ . . . , 
along 195. Unpacking controller also receives the XOR 20 datum and a 3 ' blt ^PJ*'; Each pair is successively sent 



unpacking streamer 240 of FIG. 10 and also is based on 
dependency table ram 204) outputs an operand stream 
along 261 to operand controller 262. 

At each of the three stages, evaluator 208 sends an 
operand index along 203 to operand controller 262. 
Operand controller 262 decomposes the received oper- 
and index into two fields: a 3-bit extraction index and a 
10-bit source index. The extraction index is incremented 
(now ranging from 1 to 8) and sent along 263 for storage 
in dispersed count register two (2) 260. The source 
index is stored in emission pointer register 264 with this 
value selecting a bit in garbage index ram 200 (10 bits 
spans 1024 bits exactly). Then, operand controller 262 
initializes current pair register two (2) 268 with a value 
of zero to select the first pair in dispersed descriptor 
two (2) 270. 

From consecutive bits of received operand stream 
261, operand controller 262 forms pair(s) of a 1-bit XOR 



datum bit in dispersed descriptor one (1) 254 as selected 
by current pair register one (1) 250. The dependency bit 
and XOR datum bit are XORed together with the result 
defined as a creature bit Bit address register two (2) 242 
is advanced by adding to it the value of the associated 
skipper (from dispersed descriptor one (1) 254) plus one. 
Current pair register one (1) 250 is advanced by incre- 
menting it; though if the new value is equal to the con- 
tents of dispersed count register one (1) 252, current 
pair register one (1) 250 is reset to zero instead. 

Unpacking controller 244 successively inserts each 
creature bit into insertible shift register 246 at succes- 
sive positions derived from insert list 248. The 48 bits in 
insert list 248 are internally stored in eight 6-bit position 



25 
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along 263 for storage in dispersed descriptor two (2) 270 
with dispersed count register two (2) 266 specifying the 
number of such pairs to form. 

In a manner identical to creature bit formation by 
unpacker 206, operand controller 262 forms emission 
bits by the following dispersed amorphous process. The 
bit from garbage index ram 200 selected by emission 
pointer register 264 is received along 201. Operand 
controller also receives the XOR datum bit in dispersed 
descriptor two (2) 270 as selected by current pair regis- 
ter two (2) 268. The garbage index bit and XOR datum 
bit are XORed together with the result defined as an 
emission bit Emission pointer register 264 is advanced 



items. Each position item is successively bounded by a 35 bv to il Ae value of the associated skipper (from 



modulus of 49, 50, . . . , 56 in order to derive a valid 
insert position. Once all creature bits are inserted, in- 
sertible shift register 246 contains a function index 
which is sent along unpacked bus 207 to evaluator 208. 

Each 57-bit function index from unpacker 206 is de- 
composed by evaluator 208 into the seven fields as 
shown in the table below, and these are used by evalua- 
tor 208 to generate a 16-bit function value to be stored 
in function table ram 210. 



TABLE VIII 


FIELD NAME 


SIZE 


order index 


I bit 


dependency index 


13 bits 


operandi index 


13 bits 


oper&nctt index 


13 bits 


operand 3 index 


13 bits 


operation 1 index 


2 bits 


operation index 


2 bits 



40 



45 



50 



Evaluator 208 computes FUNCTION VALUE- 35 
=Operation B( Operation A( Opl, Op2), Op3) to obtain 
the 16-bit function value. The order index selects which 
operation class is evaluated first, with (A= 1, B=2) if 
order index is 0, and (A=2, B = 1) otherwise. The oper- 
ands and operations to be used are described directly 60 
below. 

Operands Opl, Op2, Op3 are successively generated 
from respectively operandi index, operand2 index, and 
operandi index by operand maker 274, depicted in FIG. 
11, in the following manner. First, evaluator 208 sends 65 
the 13-bit dependency index (parsed from a function 
index) along index bus 203 and is stored in operand 
streamer 260. Operand streamer 260 (functions same as 



dispersed descriptor two (2) 270) plus one. Current pair 
register two (2) 268 is advanced by incrementing it; 
though if the new value is equal to the contents of dis- 
persed count register two (2) 266, current pair register 
two (2) 268 is reset to zero instead. 

Operand controller 262 sends each emission bit along 
265 for storage in operand register 272. When enough 
emission bits are generated, either 8 or 16 bits depending 
on the selected operation, the contents of operand regis- 
ter 272 are output at 267 with this value defined as an 
operand. 

Evaluator 208 uses the 2-bit field, operationl index 
parsed from a function index, to select a logical compu- 
tation to be used for Operationl from the following 
table, here shown with Opl and Op2 used generically. 
Here, operands are 16 bits long. (Opl— low denotes the 
lower 8-bits of Opl, and similarly for "high". is 
used to denote concatenation.) 

TABLE DC 



INDEX 


COMPUTATION (LOGICAL) 


0 


(Opl _Iow AND Op2_low) + (Op I -high OR 




Op2— high) 


1 


(Opl _low OR Op2_Jow) + (Opl— high AND 




Op? high) 


2 


Opl XOR Op2 


3 


(NOT Opl) XOR Op2 



Similarly, operation^ index selects an arithmetic com- 
putation to be used for Operation2 from the following 
table. Here, operands are 16 bits long except for Op2 in 
DIV where an 8-bit operand is required. 
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TABLE X 



INDEX COMPUTATION (ARITHMETIC) 

0 Opl ADD Op2 (curies are ignored) 

1 Opl SUB Op2 (borrows are ignored) 

2 Opl MUL Op2, ADD low and high parts 

3 Opl DIV Op2, XOR dividend A divisor to quotient 



2nd collector index has a value of 2, then apply the 
formula A2=S3 XOR S4.) 

TABLE XI 



INDEX 


COMPUTATION 


0 


SI ADD S2 (carries arc ignored) 


1 


SI SUB S2 (borrows arc ignored) 


2 


SI XOR S2 


3 


(NEGS1) XORS2 



MUL (index =2) multiples two 16-bit values which 
results in a 32-bit value. This 32-bit value is decomposed 10 ... 
into low and high 16-bit values which are then added. The sixth step is to form a 512-bit product which is 
This 16-bit sum, ignoring carries, is the final result. defined as the next component of the keystream. To this 
DIV (index =3) is performed by padding Opl with 16 transition controller sends the 13-bit output emitter 
leading zeros and using a 8-bit Op2 which is padding Me * (parsed from garbage index ram 200) along 203 to 
with 8 leading zeros. The division is performed on 32- IS streaming CEM 196 to define the starting bit of the 
bit dividend with a 16-bit divisor (forced to 1 if origi- multiplier stream. Transition controller 202 then config- 
nally 0) and, thus bounded, results in a 16-bit quotient «"* bus switch two (2) 198 to route the 128-bit contents 
and 16-bit remainder. The 16-bit quotient is XORed of accumulator multiplicand register 218 along 217 to 
with 16-bit Opl, and then the high 8-bit quotient portion PWvMe for a multiplicand at 197. Streaming CEM de- 
is XORed with 8-bit Op2. This modified 164>it quotient 20 composes the multiplier stream mto 512 pairs of 7-bit 
is the final result. These XORings of the quotient were P«">° n ««>. "* XOR datum values, and are 
chosen to whiten the division process which generates 5*^* t0 <*? multiplicand to form a 51 2-bit product, 
too few l's Product 199 is sent through bus switch two (2) 198 and 
Thus, the third step of filling function table 210 has 0 *V*" 2 » 85 8 fragment ^ 
been fully described. 25 ** * "> form * <^»t product 

Thefourthstepistofm32bytesumtableram214.To » used as |1 tne n f 

this end, transition controller 202 sends the 49-bit per- transition controUer sends the "-bit state «mttermdex 

mutation selector and the 128-bit nibble perm selector <P™** «»*•« e ™> * ^.J" 

(parsed from garbage index ram 200) along index bus CEM ». deflne ^^JS* ta of * he 

203 to permute unit 212. Permutate unit 212 first ap- 3° mulUpher stteam. Tra^itoon controller 202 ften config- 

plies theVbit permutation selector to a "hashed di£ myms^t^mm^tc^ibtl^ca^ 

■ » * .~ \~ A w„_ « ™.. ~-a-~ «r *u a \a of accumulator multiplicand register 218 along 217 to 

sion pennutator to obtain a new ordering of the 16 r , . t r , 4 * e , r^cxi a*> 

. v • *. ** * vi * nn xr « rem en ci provide for a multiplicand at 197. Streaming CEM de- 
elements in function table ram 210. E.g., (F5 F12 F3 Y ** . , *? r _ 

„ C1 co n>i « n cm tm cuTci en cii\ composes the multiplier stream mto 64 pairs of 7 -bit 

F15 F7 Fl F* F14 W R no H F16 F4 Fll F13). XQR datum J ^ „ 

Con^uuvepa^s from ^ fun £ mu]tiplicand t0 form a 64-bit product. 

are transformed by mbble P«mutations o form 32-bit j^ugh ^ % ^ gfa md 

sum elements labeled SI to S8^ Permutate ^t 212 sue- for f m f m 

cessively forms and sends each sum element dong 213 Renter confi ^ tion of above state 

foi D Storage m sum table > m 214, thus ; filling it g £ rcprcscntativc ofthis 

Permutate umt 212 decomposes the 128-bit mbble ^ ^ } fonnin de £ ndency ^ ^ ^ 

perm selector mto 8 16-bit ub selectors which are sue ^ varia ^ (2) formin a b 

cessively sent to a "division" pennutator with the re- ^dex from ft machine mdcx ^ ^ yariablc ^ d de _ 

suiting permutations applied to successive (permuted) d tebl (3) decoinposing ^ garbage index into 

fimction pairs. ^For example, take the first pair of F5 and 4J £, ds which dcscHbe trai £ tion ^ output functions, 

F12. These 16-bit function elements are decomposed and (4) cvaluating ^ funct ions. Use of a separate 

mto 4 mbbles each, here represented by dependency table is not essential to me state niachine 

F5-f5a+t5b+f5c+f5d and me thod of the present invention. But invariably some 

FU=fl2a+fl2b+fl2c+fl2d where denotes con- « depcnd ency bits" will be required by the amorphous 

catenation. Applying the first nib selector to (f3af5bf5c ^ processes wn ich characterize this method, whether 

f5d f!2a f!2b fl2c fl2d) will permute these nibbles into fcese dep cndency values explicitly are from a special 

say <fl2c f5d fSa f!2b fl2a f5b f5c tl2d). The first sum bufier(s) or they are from some intermediate values, or 

element then becomes SI fl2c+f5d+f5a+fl2b+f- the machine index and state variable are used for depen- 

12a+f5b+f5c+fl2d. dency values. 

The fifth step is to fill 16 byte accumulator multipli- 55 The above state machine configuration was chosen so 
cand 218. To this end, transition controller 202 sends tnat i te software implementations would be somewhat 
the 8-bit accumulation index (parsed from garbage efficient at generating a keystream. However in hard- 
index ram 200) along 203 to collect unit 216. Collect ware, the dispersed amorphous process is simple and 
unit 216 receives successive pairs from sum table ram fast enough so that its use streaming CEM 196 is practi- 
214, combines each pair to form a 32-bit accumulation go cal, and even practical for filling the dependency table, 
element, with these 4 accumulation elements Al, A2, And as VLSI chips become cheaper and more dense, it 
A3, A4 sent along 217 for storage successively in accu- becomes more practical to implement the more efficient 
mulator multiplicand register 218, thus filling it. path picking amorphous process for stream generation. 

Collect unit 216 operates by decomposing received Further, with fast stream generation, annihilation be- 
accumulation index into 4 2-bit collector indexes. The 65 comes a practical option to be applied after say unpack- 

following table defines the sum element pair combining ing packed function indexes and operand generation 

function for a given collector index value. (In the table where now these operations would produce oversized 

below, the pair SI and S2 is used genetically. E.g. if the items which require some reduction. 
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To further clarify the types of modifications which chain) for the sequential, step-wise, operation of the 

do not go beyond the present invention, a short and machine in accordance with the present invention, 

terse list of state machine enhancements is enumerated: Appendix 3 gives statistical results for the machine 

(1) employ more and/or a variable number of functions, generation of cryptographic keys by non-linear pro- 

(2) employ more and/or a variable number of opera- 3 cesses in accordance with the present invention. The 
tions per function, (3) employ more dependency type generated keys are, in general, shown not to assume any 
expansions (eg. expand each function index field indi- significance order by virtue of the amorphous key gen- 
vidually, thus using more dependency indexes), (4) em- eration process of the present invention. 

ploy more types of operations (eg. use a generalized Appendix 4 contains a rudimentary cryptoanalysis of 
addition unit which uses a fairly large operation index 10 the amorphous process for the machine generation of 
to provide many different operations resulting from the cryptographic keys, and the keys so generated, in ac- 
wiring of the carries in a chain defined by resolving the cordance with the present invention. It is in general 
operation index into several transposition indexes, i.e. a shown that the key generation process of the present 
partial permutation), (5) employ more ways of combin- invention is relatively highly secure against cryptoanal- 
ing operations and functions (eg. use some function 15 ysis. 

field to select say OS( 04(02(03, o2), 03(01(ol, o4) ) Appendix 5 shows an example of chained multiplex- 
from among the possible combining configurations), (6) ing as is used in the generation of an amorphous stream 
employ more rounds before the "accumulator** stage is during the machine generation of a cryptographic keys 
reached*', and (7) employ residual dependency buffers in accordance with the present invention, 
which are modified by successive transitions but still 20 Many of the techniques described herein above are 
depend on the value left from the previous transition. immediately applicable to antecedent or posterior parts 

The state machine method has two drawbacks. These of the invention. Some of these employments were 
result from the fact that the analysis required to guaran- explicitly stated, but for brevity and for a smoother flow 
tee large cycle lengths and good statistics may be very of idea evolution, expression of these relations was keep 
difficult, if not impossible. However, by judiciously 25 to a minimum. It will be understood by those skilled in 
chosen individual stages, and use of a CEM at the out- the art where those further applications could have 
put stage, good statistics can be achieved, as empirically been made. Furthermore, other various changes in form 
demonstrated, answering the second drawback. and detail may be made to the preferred embodiments as 

The first drawback can be answered by using a RNG disclosed without departing from the spirit and scope of 
with a known cycle length to guarantee the cycle length 30 the invention as defined by the appended claims, 
of the state machine in the following manner. The RNG In accordance with the preceding discussion, certain 
is used to provide a sequence of machine index and state adaptations and improvements will suggest themselves 
variable pairs. Each pair is sent to the state machine to practitioners of the electronic design arts. For exam- 
which then generates a keystream which is limited to a pie, implementation of the dispersed expanding amor- 
small number of transitions, say a thousand. This limits 35 phous process of the present invention has been taught 
cycling to within a thousand keystream fragments, a * in hardware, but the process could conceivably be un- 
reasonable limit considering that the probability of such ' piemen ted (at reduced speed) in software. Statistics 
a small cycle is extremely small. In this configuration, concerning keys produced by a software approach have 
the key would be the seed applied to the RNG. The not yet been developed. 

security of the RNG is moot here, as long as a large 40 The machine of the present invention is subject to 
cycle and good statistics can be demonstrated, because modification. One potential change to the machine, as is 
here, the state machine is intended as the means of pro- shown in FIG. 1, would be to have a signal line from 
viding cryptographic security. partition extractor 18 to stream router 30. As it is now, 

Additional materials in support of a complete disclo- the stream router assumes a fixed size for partition in- 
sure of the present invention are contained in five at- 45 dexes. This is true for the path-picking method (of FIG. 
tached appendices 1 through 5. 3) as described in the claims. But in this section, the 

Appendix 1 is a help for associating the language of enhancement of using a dynamic number of elements in 
the claims, and the functionality of the machine of the partitions was suggested, and in fact was implemented 
present invention as expressed in the claims, with the together with variable sized partition indexes in the 
drawings. The association between 1) the composite 50 software version whose results are presented in AP- 
names and cursory descriptions of the elements of the PENDIX 3. The dispersed method (of FIG. 4) always 
preferred embodiments of the machine of the inven- uses variable sized partition indexes. It is somewhat 
tions, as such elements are shown in the drawings and arbitrary assumed that the maximum size is always 
discussed in the specification, is set forth in Appendix 1 parsed from the amorphous stream. Size detection logic 
relative to 2) the language of the claims accompanying 55 on extractor 18 could be implemented. Note that at 
the application as originally filed. Because the claims present the message key exploder of FIG. 5 assumes this 
are a part of the teaching of any application, the struc- signaling capability in that all of the amorphous stream 
ture and function of the machine in accordance with the is routed as keystream when using the generator of 
present invention may again be reviewed and under* FIG. 1. An implicit flag in partition descriptor is thus 
stood by reference to the claims. Appendix 1 also pro- 60 being used. Such a potential refinement to the machine, 
vides a help for associating the language of the claims and process, of the present invention is in the nature of 
with the parallel teaching of the drawings and of the a minor detail. 

specification. In accordance with these and other possible v aria- 

Appendix 2 details the data flow for selected compo- tions and adaptations of the present invention, the scope 
cents, and shows in particular the complete data flows 65 of the invention should be determined in accordance 
of drawings FIGS. 1 and 2. The data flows set forth in with the following claims, only, and not solely in accor- 
Appendix 2 are organized in time sequence, and Appen- dance with that embodiment within which the inven- 
dix 2 thus serves as a main timing diagram (or timing tion has been taught. 
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What is claimed is: 4. The machine according to claim 1 for generating 

1. A machine for generating a cryptographic key by an extended-length cryptographic key, the machin e 
processes similar to those normally associated with further comprising: 

encryption of plain text data, the machine comprising: 4) a feedback means, receiving the amorphous bitstream 

1) a base key source for providing a set of essentially 5 from the amorphous processor, for mapping the re- 
random bits defined as a base cryptographic key; coved amorphous bitstream into (i) a new amorphous 

2) a partition index source for providing an essentially partition index and (ii) a keystream portion, and for 
random number called an amorphous partition index; feeding back the new amorphous partition index to 
^ the amorphous processor for use therein and thereby; 

3) an amorphous processor, receiving the base key from 10 _ v and , m , „ 
the base key source means and the amorphous parti- 5 > a recursive control means for repetitively cychcally 
tion index from the random number source, exercismg the amorphous processor and the feedback 
for reforming on the base key means u so **t.™ a plurality -of cycles , a plurakty of 
a generalized combination with substitutions „ amorphous Streams are produced by the^amor- 
m^rdan^use of the amorphous paction « JeTr^ 

inaex as a vc wherein the amorphous processor recursively performs 

in order o produce another essentially random set of on ^ basc kc / succc ^ V e generalized combinations 

bits called an imiorphous bitstream, the amorphous ^ substitutions m accordancc with successive 

processor including 20 amorphous partition indices in order to produce a 

3.1) a selector for selecting from the base key m ac- lurality of successive amorphous keystream por- 
cordance with the amorphous partition mdex a tions- 

selected set of bits, wherein the plurality of successive amorphous keys- 

3.2) a sequencer for sequentially ordering the selected Ucam portions constitute, in aggregate, the extended- 
set of bits in accordance with the amorphous parti- 2 5 length cryptographic key; 

tion index to produce an ordered selected set of wherein a recursive amorphous process by which the 

bits, and base cryptographic key is used, in successive cycles, 

3.3) a logical complimenter for logically comple- to produce the extended-length cryptographic key is, 
menting the ordered selected set of bits in accor- because it is still a generalized combination with sub- 
dance with the amorphous partition index to pro- 30 stitutions, still itself in the nature of a cryptographic 
duce a logically-complemented ordered selected transform. 

set of bits called an amorphous bitstream; 5. The machine according to claim 4 wherein the 

wherein a generalized combination with substitutions is amorphous processor comprises: 

performed on the base cryptographic key in accor- a mapping means which expands a received amorphous 

dance with the amorphous partition index; and 35 partition index into an amorphous bitstream of a 

wherein the generalized combination with substitutions . greater number of bits than are within the amorphous 

performed on the base cryptographic key, which base partition index; 

key is itself an essentially random set of bits, in accor- wherein feedback of the new amorphous partition index 

dance with the amorphous partition index, which will leave one or more bits for the keystream portion; 

partition index is itself an essentially random number, *0 wherein, because the amorphous process produces a 

by the amorphous processor constitutes a process number of bits beyond the partition index size, the 

describable as amorphous, which is why the amor- amorphous process is called an expansion process and 

phous processor is called such, and is likewise why tne amorphous processor is called an expanding 

the set of bits produced by the amorphous processor amorphous processor. 

is called an amorphous bitstream; 45 6 * ^ maclune according to claim 1 for generating 

wherein the amorphous process by which the base ™ j^nded-length cryptographic key, the machine 

cryptographic key is used to produce the amorphous turtner comprising: 

biSream is, because it is a generalized combination 6 > a nun l bcr ^ for P rov,dm * a "W** of 

with substitutions, itself in the nature of a crypto- _ essentially random numbers; 

hi t f ' * F 50 7) a cycle control means for repetitively exercising the 

grap c ransorm; . . . s amorphous processor and the random number source 

as a cryptographic key likewise as is the base crypto- ^ ^ ov J a pluralhy of cyclcSf a plurality of amor . 

graphic key from which it is derived; hous bitstrcams m produced b y the amorphous 

wherein no order has been imparted to the crypto- processor 

graphic keystream by the amorphous transformation 55 whcreill the random number source provides for a new 

thereof, amorphous partition index for each cycle, or in addi- 

2. The machine according to claim 1 ^ ^ random number source provides for a new 
wherein the selector of the amorphous processor per- base key for each cycle as well; 

missibly selects from the base key, in accordance with wherein the entire amorphous bitstream is used as a 
the amorphous partition index, a subset of bits that $o keystream portion; 

includes multiple instances of bits of the base key set; wherein the plurality of successive amorphous keys- 

wherein the selected set permissively contains more bits tream portions constitute, in aggregate, the extended- 

than are within the base key. length cryptographic key. 

3. The machine according to claim 1 further compris- 7. The machine according to claim 6 wherein the 
ing: 65 amorphous processor comprises: 

encryption means for using the amorphous bitstream a mapping means which contracts a received amor- 
produced by the amorphous processor as a crypto- phous partition index into an amorphous bitstream of 
graphic key in a cryptographic transform. fewer bits than the amorphous partition index; 
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wherein a soSrce of amorphous partition indexes is 
necessary to produce a keystream; 

wherein, because the amorphous process produces a 
number of bits fewer than the partition index size, the 
amorphous process is called a contracting process 
and the amorphous processor is called an contracting 
amorphous processor. 

8. The machine according to claim 7 wherein the 

random number source comprises: 

an expanding amorphous processor in a feedback con- 
figuration; 

wherein cryptographic security of the plurality of 
amorphous bitstreams, and of the cryptographic key, 
generated by the machine is achieved by the contrac- 
tion process; 

wherein, because the expanding amorphous processor 
of the random number source expands while the map- 
ping means of the amorphous processor, which amor- 
phous processor uses the random number as a new 
amorphous partition index and a new base key for 20 
each cycle, contracts, the entire process is called an 
amorphous teeter-totter process. 

9. The machine according to claim 6 wherein the 
random number source comprises: 

a cryptographically insecure random number genera- 
tor; 

wherein cryptographic security of the plurality of 
amorphous bitstreams, and of the cryptographic key, 
generated by the machine is achieved by the contrac- 
tion process. 

10. An expandmg-amoiphous-process keystream gen- 
erator for recursively producing 
from a base key having a multiplicity of binary bits 
in accordance with a partition index that serves to spec- 
ify how an amorphous bitstream is to be formed from 
the base key, 

which partition index is itself decomposed during its use 
by a parameter called a partition descriptor, 

an amorphous keystream having binary bits of number 
greatly beyond those needed before cyclic behavior 40 
commences, the expanding-amorphous-process keys- 
tream generator comprising: 

1) source registers for providing three quantities that 
are input to the keystream generation process, the 
source registers including 

1.1) a base key source register for providing a base 
key having a multiplicity of binary bits, 

1.2) an initial partition index source register for pro- 
viding an initial partition index, the initial partition 
index serving to specify how an amorphous bit- 
stream is to be formed from a base key, and 

1.3) a partition descriptor source register for provid- 
ing a partition descriptor, the partition descriptor 
serving to parameterize the decomposition of parti- 
tion indexes; 

2) process intermediary-result registers including 

2.1) a base key register for storing the base key, 

2.2) a partition descriptor register for storing the 
partition descriptor, 

2.3) a partition index register for storing a current 
partition index commencing with the initial parti- 
tion index, 

2.4) a plurality of element descriptor registers each 
for storing a quantity called an element descriptor, 
each element descriptor elsewhere serving to pa- 65 
rameterize a dividing of the base key into a data 
portion called an element, the collective element 
descriptors collectively serving to substantially 
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define how a partition is to be performed on the 
base key to produce a plurality of elements there- 
from, 

2.5) a plurality of current-and-master holdback-regis- 
ter pairs, one register pair corresponding to each of 
the plurality of elements, each for holding a quan- 
tity called multiplexing information, the collective 
multiplexing information elsewhere serving to con- 
trol the multiplexing of data from a the plurality of 
elements during formation of an amorphous 
stream, and 

2.6) a plurality of emission-fragment-and-emission- 
count register pairs, one register pair correspond- 
ing to each element, each pair for holding a quan- 
tity called an emission fragment and also another 
data quantity called an emission count, these emis- 
sion fragments and emission counts elsewhere serv- 
ing to control the multiplexing of data from a cor- 
responding element during the formation of the 
amorphous stream; 

3) a partition extractor circuit means, receiving a cur- 
rent partition index from the partition index register 
and the partition descriptor from the partition de- 
scriptor register, for decomposing the current parti- 
tion index in accordance with the partition descriptor 
into (i) a plurality of initial element descriptors for 
storage by the plurality of element descriptor regis- 
ters, (ii) a plurality of multiplexing information for 
storage by the plurality of current-and-master hold- 
back-register pairs, (iii) initial element chaining infor- 
mation for storage and use within a holdback multi- 
plexer, and (iv) current element information for stor- 
age and use within the holdback multiplexer; 

4) an emission generator circuit, receiving the base key 
from the base key register means and successive ele- 
ment descriptors from successive ones of plurality of 
element descriptor registers, for transforming each 
element descriptor into the emission fragments and 
the emission counts which are stored by the plurality 
of by eniission-fragment-and-emission-count register 
pairs, and for storing a plurality of modified element 
descriptors back into the plurality of element descrip- 
tor registers, the emission generator means operating 
to 

choose bits from among the bits of the base key in 
accordance with each element descriptor, and 

selectively substitute bits in accordance with the same 
element descriptor; 

5) a holdback multiplexer, receiving the emission frag- 
ments from the plurality of emission-fragment-and- 
emission-count register pairs plus multiplexing infor- 
mation from the current-and-master holdback-regis- 
ter pairs plus initial element chaining information and 
current element information from the partition ex- 
tractor, for forming an amorphous stream by select- 
ing bits from the emission fragments where each se- 
lection is subject to suspension for a given element 
cycle based on the multiplexing information; 

6) a stream router means, receiving the amorphous 
stream from the holdback multiplexer, 

for passing an initial portion of the amorphous stream 
to the partition index register means, and 

for outputting a remainder of the amorphous stream 
as the keystream fragment; and 

7) a control means including 

7. 1) an initialization cycle means serving to load the 
base key storage register means, the partition de- 
scriptor register means, and the partition index 
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register means with their corresponding initial 
quantities respectively from the base key source 
register means, the partition descriptor source reg- 
ister means, and the initial partition index source 
register means, 5 

7.2) a partition extraction cycle means serving to load 
the plurality of element descriptor register means, 
the holdback-register pairs, and the link registers 
internal to the holdback multiplexer means with 
quantities derived by the partition extractor means 
from its decomposition of the current partition 
index received from the partition index register 
means, and 

7.3) a holdback multiplexer cycle control means for 
controlling the holdback multiplexer to generate 
the amorphous stream; 

wherein feedback is provided through a next partition 
index which permits another partition and hence 
another amorphous stream to be formed; 

wherein a plurality of keystream fragments result; 

wherein a concatenation of successive keystream frag- 
ments is defined as the keystream. 

11. The keystream generator according to claim 10 
wherein the 5) holdback multiplexer comprises: 

5.1) pairs for storing a doubly-linked list of the ele- 
ments; 

5.2) a target register for holding an address of a cur 
rent element being multiplexed; 

5.3) an emission counter for decrementing values 
contained in the emission count registers; 

5.4) a holdback counter for decrementing values con- 
tained in the current holdback registers; and 

5.5) a shift register for parsing bits from the emission 
fragment registers to form an amorphous stream. 

12. The keystream generator according to claim 11 
wherein the 5.1) plurality of previous-and-next-element- 
link register pairs means comprises: 

5.1.1) a plurality of sets of previous-and-next-ele- 
ment-link register pairs with each set forming 43 
an chain of permuted elements; 

wherein the multiplexing of element emissions 
proceeds by successive processing of the 
chains with each chain processed by assessing 
each element of that chain once, until all ele- 45 
merits are exhausted. 

13. The keystream generator according to claim 10 
wherein the 7.3) holdback multiplexer cycle control 
means comprises: 

7.3.1) an emission counter loading/decrementing/- 50 
transferring control means for loading the emis- 
sion counter means with an emission count of a 
target element, for decrementing the emission 
counter, and for transferring the decremented 
contents of the emission counter means back to 55 
the emission count register save for, alterna- 
tively, aborting the store cycle whenever a hold- 
back suspension occurs or whenever an emission 
count is zero in which case a refill request to the 
emission generator is required; 

7.3.2) a holdback counter loading/decrementing/- 
transferring control means for loading the hold- 
back counter means with a current holdback of a 
target element, for decrementing the holdback 
counter, and for transferring the contents of the 
holdback counter back to the current holdback 
register save for, alternatively, transferring a 
master holdback to the current holdback register 
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whenever the decrement operation results in 
zero in which case a suspension has occurred; 

7.3.3) a shift register loadtng/shifting/transferring 
control means for loading the shift register 
means with an emission fragment of a target 
element, for shifting the shift register means, for 
transferring the shifted bit to the amorphous 
stream, and for transferring the shifted contents 
of the shift register means back to the emission 
fragment; 

7.3.4) a target element advancement control means 
for storing the target element contents of the 
element link next register in the target register 
means; 

7.3.5) an element delinking control means for un- 
mapping a target element from the element link 
registers by modifying proper registers therein 
whenever an element emission exhausted signal 
is received from the emission generator means 
upon a refill request failure; 

7.3.6) a termination control means for detecting the 
unmapping of the last element and then signaling 
the partition extractor to evoke another parti- 
tioning of the base key; and 

7.3.7) a multiplexer cycle control means for con- 
trolling the holdback multiplexer to generate the 
amorphous stream, the multiplexing cycle means 
including 

7.3.7.1) an emission count reset cycle means for 
zeroing the emission-count registers before 
processing a new partition, 

7.3.7.2) an element selection means for cyclically 
successively selecting an element, 

7.3.7.3) an emission count fetch means for read- 
ing the emission count register of the selected 
element, 

7.3.7.4) a refill cycle means for filling the se- 
lected emission register pair whenever the 
emission count is zero, the refill being accom- 
plished by sending a request to the emission 
generator means, 

7.3.7.5) an element unlink means for removing an 
element from the chain of elements by modify- 
ing the element link registers whenever a refill 
emission request returns an element exhausted 
signal, 

7.3.7.6) a current holdback fetch means for read- 
ing the current holdback register of the se- 
lected element, and 

7.3.7.7) means for returning to the partition ex- 
traction cycle means once all elements are 
exhausted; 

14. The keystream generator according to claim 13 
wherein the 4) emission generator means comprises: 

4.1) a plurality of work registers which duplicate 
those of an element descriptor except for the path 
register; 

4.2) a fronts buffer, being a shift-right register for 
holding the next front bits used while forming an 
element emission; 

4.3) a fronts counter, being a count-down counter for 
holding the number of valid bits in the fronts 
buffer; 

4.4) a tails buffer, being a shift-left register for holding 
the next tail bits used while forming an element 
emission; 

4.5) a tails counter, being a count-down counter for 
holding the number of valid bits in the tails buffer; 
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4.6) a shift register for filling the fronts and tails buff- 
ers; 

4.7) a path and substitution generator means for pro- 
viding a stream of path selection bits and substitu- 
tion bits used to form emission fragments; 

4.8) an XOR means for forming emission bits; 

4.9) an emission buffer, being a shift-right register for 
collecting the emission bits; 

4.10) an emission counter, being a count-up counter 
for holding the number of valid bits in the emission 
buffer, 

4.11) an emission controller means for processing a 
refill request from the holdback multiplexer, the 
emission control means including 

4.11.1) a means for loading the work registers and 
internal registers of the path and substitution 
generator with the contents of the element de- 
scriptor selected by the target register, 

4.1 1.2) a means for checking if the remainder work 
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4.11.7) a means for pulsing the emission buffer to 
load the emission bit, 

4.11.8) a means for pulsing the emission counter 
and to detect emission buffer full, 

4.11.9) a means for decrementing the remaining 
count work register and detect whenever the 
element emission is exhausted, 

4.11.10) a means for pulsing the emission buffer to 
right justify the contents upon an exhausted ele- 
ment emission, 

4.11.11) a means for transferring the emission 
buffer and emission counter contents to the emis- 
sion fragment and emission count register pair, 
and 

4.11.12) a means for saving the contents of the 
modified work registers and internal registers of 
the path and substitution generator to the ele- 
ment descriptor selected by the target register. 

15. The keystream generator according to claim 14 



register is zero whereupon the refill request is 20 wherein & e 4.7) path and substitution generator means 
terminated by sending an element exhausted 
signal, 

4.11.3) a means for filling the fronts buffer and 



fronts counter including 

4.1 1.3.1) a means for loading the sift register with 25 
a word from the base key whose address is 
formed by taking the current front work regis- 
ter value and shifting it to the right by a num- 
ber determined by the number of bits in a 
word, 

4.11.3.2) a means for pulsing the shift register to 
the right by a number determined by the least 
significant bits of the current front work regis- 
ter whereupon the result consists of the lead- 
ing bits of the next front bits, 

4.11.3.3) a means for transferring the shift regis- 
ter contents to the fronts buffer, 

4.11.3.4) a means for computing the number of 
valid front bits fetched through computations 
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comprises: 

4.7.1a) a path selection generation means including 
4.7.1.1) a linear shift register with feedback pro- 
vided directly from the linear shift register's 
output wherein an output bit-stream is uses 
successively as path selection bits; and 
4.7.2) a substitution generation means including 
4.7.2.1) a linear shift register with feedback pro- 
vided directly from the linear shift register's 
output wherein output bit-stream is used suc- 
cessively as substitution datum bits. 

16. The keystream generator according to claim 14 
wherein the 4.7) path and substitution generator means 
comprises: 

4.7.16) a maximal length linear shift register whose 
output bit-stream is alternately passed as path 
selection bits and substitution bits. 

17. The keystream generator according to claim 14 



based on the current front work register and 40 therein the 4.7) path and substitution generator means 



last front work register values, 
4.11.3.5) a means for initializing the fronts 
counter with the computed count value; 

4.11.4) means for filling the tails buffer and tails 
counter which utilizes and operates in a manner 45 
symmetrica] to the means used to fill the fronts 
buffer and fronts counter, 

4.1 1.5) a means for resetting the emission counter 
to zero, 

4.1 1.6) a means for forming an emission bit includ- 50 
ing 

4.11.6.1) a means for receiving a path selection 
bit from the path and substitution generator, 

4.1 1.6.2) a means for pulsing either the fronts or 



comprises: 

4.7.1c) a compound linear shift register. 
18. The keystream generator according to claim 10 
wherein the 2.4) plurality of element descriptor regis- 
ters each for storing a quantity called an element de- 
scriptor comprise: 

2.4.1) a first front register; 

2.4.2) a current front register; 

2.4.3) a last front register, 

2.4.4) a first tail register, 

2.4.5) a current tail register, 

2.4.6) a last tail register; 

2.4.7) a remainder register, and 

2.4.8) a path register; 



tails buffer selected by the path selection bit to 55 AND WHEREIN the 3) partition extractor circuit 



obtain an element bit, 

4. 1 1.6.3) a means for receiving from the path and 
substitution generator a substitution bit which 
is XORed with the element bit to form an 
emission bit using the XOR means, 60 

4. 1 1 .6.4) a means for advancing the bit address in 
the associated current front or tail work regis- 
ter wrapping the address is necessary to either 
the first front value or last tail value, and 

4.11.6.5) a means for pulsing either the fronts or 65 
tails counter selected by the path selection bit 
and refill associated buffer and counter when- 
ever the decrement operation results in zero, 



means comprises: 

3.1) a partition index decomposition means for de- 
composing the partition index into (i) a permuta- 
tion selector and (ii) a plurality of partition element 
specifiers; 

3.2) a partition element specifier decomposition 
means for decomposing each of the plurality of 
partition element specifiers into a plurality of speci- 
fication fields wherein each of the specification 
fields individually parameterizes a corresponding 
element, to wit 

(i) a size specification field specifies the number of 
bits in each the element, 
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(ii) a hole specification field specifies the number of 
leading bits in the element to be excluded, 

(iii) a path-picking specification field specifies a 
substitutive path to be taken within the non-hole 
element bits, 

(iv) an initial item specification field specifies the 
starting bit for the substitutive path, 

(v) a truncate specification field specifies a limit to 
the length of the substitutive path* 

(vi) an initial holdback specification field specifies 
an initial value for the holdback counter, while 

(vii) a master holdback specification field specifies 
a holdback reset value for the holdback counter, 

3.3) evaluation means for processing the specification 
fields into element descriptor and holdback values 15 
therein to define a partition on the base key in the 
form of a plurality of contiguous elements, the 
element descriptor contained within each of the 
plurality of element descriptor registers serving to 
parameterize a element emission, to wit 

(i) the 2.4.1) first front register contains a bit ad- 
dress of the base key of an element's first front 
bit, 

(ii) the 2.42) current front register contains a bit 
address in the base key of the element's current 
front bit, 

(iii) the 2.4.3) last front register contains a bit ad- 
dress in the base key of the element's last front 
bit, 

(iv) the 2.4.4) first tail register contains the bit ad 
dress in the base key of the element's first tail bit, 

(v) the 2.4.5) current tail register contains the bit 
address in the base key of the element's current 
tail bit, 

(vi) the 2.4.6) last tail register contains the bit ad- 
dress in the base key of the element's last tail bit, 

(vii) the 2.4.7) remainder register contains the num- 
ber of bits yet to be output as an element emis- 
sion, and 

(viii) the 2.4.8) path register contains a value which 
parameterizes a substitutive path; 

3.4) means for successively transferring the evaluated 
values to the appropriate registers; and 

3.5) permuting means for mapping the permutation 45 
selector into a randomly permuted order for the 
elements whose order is transmitted to the hold- 
back multiplexer by initializing the element link 
registers therein. 

19. The keystream generator according to claim 10 so 
wherein the 3) partition extractor circuit means com- 
prises: 

3.1) partition index decomposition means for decom- 
posing the partition index into (i) a plurality of 
dispersed element specifiers and (ii) a plurality of 55 
skipper groups with exactly one skipper group 
associated with each dispersed element specifier; 

3.2) dispersed element specifier decomposition means 
for decomposing each of the plurality of dispersed 
element specifiers into a plurality of specification 60 
fields wherein each of the specification fields indi- 
vidually parameterizes a corresponding element, to 
wit 

Q) a start point specification field specifies a start- 
ing bit in the base key, 

(ii) a skip cycles specification field specifies the 
number of the skippers in the corresponding 
skipper group, 
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Oii) a next delta specification field specifies the 
number of bits to be added to the starting bit to 
define a secondary starting bit, 

(iv) an XOR cycles specification field specifies the 
number of bits in an xor datum specification 
field, 

(v) an initial holdback specification field specifies 
the initial value for the holdback counter, and 

(vi) a master holdback specification field specifies 
the holdback reset value for the holdback 
counter; 

3.3) evaluation means for processing the specification 
fields and a skipper group into element descriptor 
and holdback values thereby defining a partition on 
the base key in the form of a plurality of dispersed 
elements wherein the registers of each el em e n t 
descriptor parameterize a element emission, to wit 

(i) a start register contains the bit address in the 
base key of the element's initial bit, 

(ii) a pointer register contains the bit address in the 
base key of the element's current emission bit; 

(iii) a skipper count register contains the number of 
valid skippers in the skipper table, 

(iv) a skipper table is contained in a plurality of 
registers of sufficient number so as to hold the 
maximum possible count of skippers, 

(v) a current skipper register selects some skipper 
in the skipper table, 

(vi) a delta register contains the incremental value 
used to form a secondary starting bit or zero 
upon beginning generation of the secondary 
portion of the emission, as the case may be, 

(vii) a tap register contains the feedback tap point 
for the dispersed substitution generator, 

(vii) a XOR datum register contains the bit values 
for the dispersed substitution generator; 

3.4) means for successively transferring the evaluated 
values to the appropriate registers; and 

3.5) means for generating a successive ordering of the 
elements whose order is transmitted to the hold- 
back multiplexer by initializing the element link 
registers therein. 

20. The keystream generator according to claim 19 
wherein the 4) emission generator circuit comprises: 

4.1) a plurality of work registers duplicating those of 
an element descriptor except for the tap and XOR 
datum register; 

4.2) a dispersed substitution generator, being a linear 
shift register of controllable length employing di- 
rect feedback wherein a tap control register speci- 
fies the feedback point within the shift register; 

4.3) an XOR means for forming emission bits; 

4.4) an emission buffer, being a shift-right register for 
collecting the emission bits; 

4.5) an emission counter, being a count-up counter for 
holding the number of valid bits in the emission 
buffer; 

4.6) a dispersed emission controller means for pro- 
cessing a refill request from the holdback multi- 
plexer, the dispersed emission controller means 
including 

4.6.1) means for loading the work registers and 
dispersed substitution generator with the con- 
tents of the element descriptor selected by the 
target register, 

4.6.2) means for forming an emission bit including 
4.6.2.1) means for fetching the base key bit se- 
lected by the pointer work register which is 
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XORcd using the XOR means with the output 
of the dispersed substitution generator to form 
an emission bit, 

4.6.2.2) means for pulsing the dispersed substitu- 
tion generator to advance the LSR to the next 5 
state, 

4.6.2.3) means for advancing the pointer work 
register by adding to it the value of the skipper 
selected by the current skipper work register, 
plus one, assuming that arithmetic is such that 10 
an overflow wraps to the start address in the 
base key, 

4.6.2.4) means for detecting the pointer crossing 
the starting bit whereupon the pointer work 
register is initialized with the secondary start- 15 
ing bit address computed from start and delta 
work registers with the delta work register 
zeroed unless the delta was already zero 
which then signals that the emission is ex- 
hausted, 20 

4.6.2.5) means for advancing the current skipper 
work register by incrementing it once subject 
to bounding by the contents of the skipper 
count work register so that it addresses a valid 
skipper in the skipper work table, 25 

4.6.3) means for pulsing the emission buffer to load 
the emission bit; 

4.6.4) means for pulsing the emission counter and 
to detect emission buffer full; 

4.6.5) means for pulsing the emission bufTer to right 30 
justify the contents upon an exhausted element 
emission; 

4.6.6) means for transferring the emission buffer 
and emission counter contents to the emission 
fragment and emission count register pair se- 35 
lected by the target register in the holdback ; 
multiplexer, 

4.6.7) means for saving the contents of the modified 
work registers and dispersed substitution genera- 
tor to the element descriptor selected by the 40 
target register. 

21. The keystream generator according to claim 10 
wherein the 1.2) initial partition index comprises: 

1.2.1) a source of a message key specifying how an 
initial partition index is to be formed by a non- 45 
linear transformation; 

1.2.2) a source of an encrypted explosion pointer 
which parameterizes the partition index forma- 
tion; 

1.2.3) CRC means for transforming a bit stream 50 
into its cyclic redundancy code; 

1.2.4) a multiplicand register for holding the CRC 
result; 

1.2.5) a holding register, being a shift register; 

1 .2.6) CEM means for performing a coarse encoder 55 
multiplication of an multiplicand and a multiplier 
stream, the CEM means including 

1.2.6.1) means for forming a finite sequence of 
position value and XOR datum bit pairs from 
the multiplier stream, and 60 

1.2.6.2) means for forming a product bit by 
modulo-2 addition of a XOR datum bit with a 
bit in the multiplicand selected by the corre- 
sponding position value; 

1.2.7) a bit address register for selecting the next bit 65 
in the base key while forming a bit stream; 

1.2.8) streamer means for forming a bit stream by 
successively incrementing the bit address regis- 
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ter and outputting the base key bits selected, 
wherein cyclical addressing is employed; 

1.2.9) a plain text RAM for holding a plurality of 
copies of the message key; 

1.2.10) an encoder means including 

1.2.10.1) means for forming a permutation selec- 
tor and an XOR modifier of same size as the 
plain text from a bit stream, 

1.2.10.2) means for adding bitwise modulo-2 the 
XOR modifier to the plain text, and 

1.2.10.3) means for permuting the plain text bits 
in accordance with the permutation selector, 

1.2.1 1) an expansion RAM for providing a scratch 
pad area while forming a partition index; 

1.2.12) a bus switch means for providing access to 
the expansion RAM; 

1.2.13) an exploder controller means including 

1.2.13.1) means for storing a message key in the 
plain text RAM and to fill the remaining area 
with copies of the message key, 

1.2.13.2) means for feeding the message key to 
the CRC and to store the result in the multipli- 
cand register, 

1.2.13.3) means for storing an encrypted explo- 
sion pointer in the bit address register, 

1.2.13.4) means for filling the holding register by 
receiving successive product bits from the 
CEM which receives a multiplier stream from 
the streamer, 

1.2. 13.5) means for storing the holding register in 
the bit address register, 

1.2.13.6) means for transforming the plain text 
and the streamer's bit stream by means of the 
encoder with the result stored in the expansion 
RAM as the first amorphous seed, 

1.2.13.7) means for decomposing the first amor- 
phous seed into a first partition index and a 
first partition descriptor, 

1.2.13.8) means for transmitting first partition 
index and first partition descriptor to the ex- 
panding amorphous process keystream gener- 
ator, 

1.2.13.9) means for receiving from the keystream 
generator the amorphous stream, the stream 
router passing all of its bits, which is stored in 
the expansion RAM as a second amorphous 
seed; 

1.2.13.10) means for expanding a second amor- 
phous seed by the same process as first amor- 
phous seed was expanded; 

wherein the initial partition index is defined as the 
amorphous stream stored in the expansion RAM 
resulting from the second amorphous seed expan- 
sion; 

wherein the initial partition index is derived from a 

smaller message key. 
22. A contracting amorphous process keystream gen- 
erator comprising: 

1) a random number generator means for providing a 
random number stream, which random number 
stream will be amorphously compressed to form a 
keystream; 

2) an XOR means, receiving the random number stream 
from the generator means, for rjerforming modulo-2 
addition on bit pairs derived from the random number 
stream in accordance with XOR bit values to form a 
plurality of data bits; 
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3) a segmented shift register means, receiving the plural- 
ity of data bite from the XOR means, for storing these 
data bits, for deleting a plurality of bit values at given 
addresses by process of shifting the data bits beyond 
a specified delete point address to recover a bit ad- 
dress being deleted, and for inserting a plurality of 
datum bits from the XOR means at specified insert 
addresses by first shifting the bits at and beyond an 
insert point to make room for a datum bit to be in- 
serted; 

4) a permuting means, receiving the random number 
stream from the generator means, for generating ran- 
dom permutations by forming a plurality of permuted 
indexes from the random number stream in accor- 
dance with a permutation selector; 

5) a contraction controller means for forming the keys- 
tream, the contraction controller including 

5.1) parsing means, receiving the random number 
stream from the random number generator means, 
for decomposing the random number stream into 
(0 a plurality of bit pairs sent to the XOR means as 
the XOR bit values, (ii) a permutation selector sent 
to the permuting means, (in) a plurality of deleters 
sent to the segmented shift register means, each 25 
deletor serving as an deletion point address therein, 
and (iv) a plurality of creators sent to the seg- 
mented shift register means, each creator serving as 
an insert address therein, the number of creators 
being the same as the number of deletors; 

5.2) filling means for storing a plurality of datum bits 
received from the XOR means in the segmented 
shift register means at addresses that are selected 
by the plurality of permuted indexes received from 
the permuting means; 

5.3) deletion means for deleting a plurality of bits 
from the segmented shift register in accordance 
with deletors received from the parsing means, 
each deletor successively selects one bit to be de- 
leted; 

5.4) creation means for inserting a plurality of datum 
bits from the XOR means into the segmented shift 
register means in accordance with creators re- 
ceived from the parsing means, each creator suc- 
cessively selecting an address at which a datum bit 45 
is inserted; 

wherein, upon completion of operations, the contents 
of the segmented shift register means forms a keys- 
tream fragment; 

wherein decomposition of additional random num- 
bers results in a plurality of keystream fragments; 

wherein a concatenation of successive keystream 
fragments is defined as the keystream. 

23. The keystream generator according to claim 22 
wherein the 4) permuting means comprises: 

4.1) an index extractor means for decomposing a 
permutation selector into a plurality of transposi- 
tion indexes of quantity one less than the number of 
bits to permute; 

4.2) a permutation buffer, being a plurality of regis- 
ters of quantity equal to the number of bits to per- 
mute; 

4.3) a slot counter, being a count-down counter used 

to address registers within the permutation buffer; 65 

4.4) a permutation controller means for forming the 
permuted indexes, the permutation controller 
means including 
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4.4.1) means for initializing the permutation buffer by 
successively filling the registers therein with the 
consecutive integers starting with zero, 

4.4.2) means for initializing the slot counter so that it 
addresses the last permutation buffer register; 

4.4.3) means for receiving a transposition index used 
to address a permutation buffer register whose 
content is output as a pennutated index, 

4.4.4) means for storing the contents of the permuta- 
tion buffer register addressed by the slot counter at 
the transposition index's location, 

4.4.5) means for pulsing the slot counter with a regis- 
ters exhausted detection capability, and permuta- 
tion buffer register as a last pennutated index, 

wherein the transposition indexes are successively 
transformed into a sequence of pennutated indexes 
which define a permutation. 

24. The keystream generator according to claim 23 
wherein the 4.1) index extractor means comprises: 

4.1.1) a selector parser means for decomposing a 
permutation selector into CO a direction value and 
(ii) a plurality of shuffle indexes with each transpo- 
sition index to be derived from one shuffle index 
wherein successive shuffle indexes are formed 
using the minimal number of bits needed to span 
the registers in the permutation buffer up to and 
including the register addressed by the slot 
counter; 

4.1.2) a shuffle register used for holding a shuffle 
index value; 

4.1.3) a span counter, being a count-down counter for 
holding the number of permutation buffer registers 
that a shuffle index must span; 

4.1.4) a first subtracter for subtracting the span 
counter contents from the shuffle register contents 
to provide a result and a borrow signal; 

4.4.5) a decrementor for decrementing by one the 
contents of the span counter; 

4.1.6) a second subtracter for subtracting the result 
from first subtracter from the output of the 
decrementor; 

4.1.7) a direction source, being a shift register using 
the complemented output of itself as the feed- 
back signal; 

4.1.8) an index controller means for forming the 
transposition indexes including 

4.1.8.1) means for initializing the direction 
source with the direction value from selector 
parser, 

4.1.8.2) means for initializing the span counter 
with the number of bits to permute, 

4.1.8.3) means for loading the shuffle register 
with the shuffle index from selector parser, 

4.1.8.4) means for outputting the contents of the 
shuffle register as a transposition index when- 
ever a borrow signal from the first subtracter 
is active, 

4.1.8.5) means for outputting either the result 
from the first subtracter or the second sub- 
tracter as a transposition index whenever the 
borrow signal from the first subtracter is inac- 
tive, wherein result selection is determined in 
accordance with the direction source, and to 
pulse the shift register in the direction source, 
and 

4.1.8.6) means. for pulsing the span counter; 
wherein a sequence of transposition indexes are 

formed. 
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25. A state machine keystream generator comprising: 

1) a source of a key in the form of a machine index and 
a state variable; 

2) a process intermediary-result register means includ- 
ing 

2.1) a machine register means for storing a machine 
index, the machine index serving to parameterize a 
transition and output function of the state machine, 

2.2) a state register means for storing a state variable, 
the state variable serving to further parameterize 
the transition and output function during each tran- 
sition, 

2.3) a dependency table means for storing pseudo 
random bits, filled at the start of each transition, 
which parameterize a state transition, 

2.4) a garbage index means for storing a garbage 
index which specifies how a state transition is to 
proceed, a garbage index comprises the various 
fields of (i) a global dependency index, (ii) a plural- 
ity of packed function indexes, (iii) a nibble perm 
selector, (iv) an accumulation index, (v) a permuta- 
tion selector, (vi) a state emitter index, and (vii) an 
output emitter index, 

2.5) a function table means for storing a plurality of 
function values, 

2.6) a sum table means for storing a plurality of sum 
elements, 

2.7) an accumulator multiplicand register means for 
storing a plurality of accumulation elements; and 

3) a process state transition computational means in- 
cluding 

3.1) a random generator means for forming random 
numbers, in accordance with a seeding value re- 
ceived from the machine register means and state 33 
register means, for storage in the dependency table 
means, 

3.2) a streaming CEM means for coarse encoder mul- 
tiplication of a multiplicand and a multiplier stream 
specified by a starting address within the depen- 
dency table means to form a product value, the 
streaming CEM means including 

3.2.1) a streamer means for forming a multiplier 
stream from a starting address which selects a bit in 
the dependency table means, the multiplier stream 45 
consisting of a selected bit and those bits immedi- 
ately following, cyclically addressed, 

3.2.2) a parsing means for forming a plurality of 
position value and XOR datum bit pairs from the 
multiplier stream, 

3.2.3) an XOR means for forming a product bit by 
modulo-2 addition of a XOR datum bit with a bit 
in the multiplicand selected by the correspond- 
ing position value, and 

3.2.4) an accumulation means for concatenating the 55 
plurality of product bits to form a product value; 

3.3) an unpacker means for expanding a packed func- 
tion index received from the garbage index means 
into a function index, the expansion is in accor- 
dance with a global dependency index also re- 60 
ceived from the garbage index means with each 
resulting function index sent to an evaluator means; 

3.4) the evaluator means for transforming a function 
index received from the unpacker means into a 
function value for storage in the function table 65 
means; 

3.5) a permuting unit means for transforming function 
values received from the function table into sum 



elements for storage in the sum table, the permut- 
ing unit means including 

3.5.1) an ordering means for providing a permu- 
tated ordering of the function values in accor- 
dance with a permutation selector received from 
the garbage index means, 

3.5.2) a permuting-unit decomposition means for 
decomposing a nibble perm selector received 
from the garbage index means into a plurality of 
nib selectors, each nib selector corresponding to 
a pair of permutated function values taken con- 
secutively, 

3.5.3) a permutation means for resolving a nib se- 
lectors received from the permuting-unit decom- 
position means into a permutation, the permuta- 
tion being applied to the nibbles of the corre- 
sponding function values pair to form a sum 
element; 

3.6) a collecting unit means for transforming sum 
elements received from the sum table means into 
accumulation elements for storage in the accumula- 
tor multiplicand register means, the collecting unit 
means including 

3.6.1) a collecting-unit decomposition means for 
decomposing an accumulation index received 
from the garbage index means into a plurality of 
collector indexes, each collector index corre- 
sponding to a pair of sum elements, a pairing 
being formed with consecutive sum elements, 
and 

3.6.2) a combining operation means for forming an 
accumulation element by using a collector index 
received from the collecting-unit decomposition 
means to select a combining operation, from a 
plurality of functions comprised of ADD and 
SUB and XOR and NEG, with the selected com- 
bining operation applied to the corresponding 
sum element pair; 

40 4) a bus switch means for routing multiplicands to the 
streaming CEM means, and product values from the 
streaming CEM means; 
5) a transition controller means for providing a keys- 
tream fragment and a next state value, the transition 
controller means including 

5.1) a dependency initialization means for storing the 
random numbers from the random generator means 
into the dependency table means, wherein the ran- 
dom generator means is seeded with values re- 
ceived from the machine register means and state 
register means, 

5.2) a garbage initialization means for storing the 
product value from the streaming CEM means into 
the garbage index means, wherein the starting ad- 
dress received by the streaming CEM means is zero 
and the multiplicand received by the streaming 
CEM means is the concatenation of the machine 
register means and state register means routed 
through the bus switch means, 

5.3) a garbage parsing means for decomposing the 
garbage index means into its component fields, 

5.4) an unpacking means for successively transmitting 
to the evaluator means a plurality of function in- 
dexes formed by the unpacker means, 

5.5) an evaluation means for successively transmitting 
to the function table means a plurality of function 
values formed by the evaluator means, 
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5.6) a summation means for successively transmitting 
to the sum table means a plurality of sum elements 
formed by the permuting unit means, 

5.7) a collection means for successively transmitting 
to the accumulator multiplicand register means a 
plurality of accumulation elements formed through 
by the collect unit means, 

5.8) a next state means for storing the product value 
from the streaming CEM means as a next state 
variable into the state register means, wherein the 
starting address received by the streaming CEM 
means is the state emitter index from the garbage 
index means, and wherein the multiplicand re- 
ceived by the streaming CEM means is the con- 
tents of the accumulator multiplicand register 
means routed through the bus switch means, and 

3.9) an output means for transmitting the product 
value from the streaming CEM means as a keys- 
tream fragment, wherein the starting address re- 
ceived by the streaming CEM means is the output 20 
emitter index from the garbage index means, and 
wherein the multiplicand received by the stream- 
ing CEM means is the contents of the accumulator 
multiplicand register means routed through the bus 
switch means; 

wherein a state transition permits the process to con- 
tinue; 

wherein a plurality of keystream fragments result; 
wherein a concatenation of successive keystream 

fragments is defined as the keystream. 
26. The keystream generator according to claim 25 
wherein the 3.1) random generator means comprises: 

3.1.1) a source of an initialization value; 

3.1.2) a multiplier with one multiplicand fixed serv- 
ing as a congmential multiplier generator; 

3.1.3) a seed register for providing a multiplicand 
to the multiplier; 

3.1.4) a parsing register for decomposing a product 
from the multiplier; 

3.1.5) a key table for holding a plurality of values 40 
from the multiplier; 

3.1.6) a selection register for addressing a bit in the 
key table; 

3.1.7) an XOR means for performing modulo-2 
addition on a bit pair; 

3.1.8) a collection register, being a shift register 
used to form a random value by concatenating 
amorphous bits; 

3.1.9) a random controller means for forming a 
fixed quantity of random outputs, the random 
controller means including 

3.1.9.1) means for initializing the seed register 
with a first seed value formed by XORing 
together two portions of the initialization 
value, 

3.1.9.2) means for advancing the seed register by 
replacing the seed register with the product 
from the multiplier with the seed register's 
content used as the other multiplicand, 

3.1.9.3) means for initializing the key table with 
successive products from the multiplier using 
the first seed value; 

3.1.9.4) means for resetting the selection register 
to address the first key table bit, 

3.1.9.5) means for filling the seed register with a 65 
second seed value formed by XORing to- 
gether two additional partitions of the initial- 
ization value, 
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3.1.9.6) means for generating a finite sequence of 
amorphous bits including 

3.1.9.6.1) means for advancing the seed regis- 
ter with the multiplier's product also stored 
in the parsing register, 

3.1.9.6.2) means for successively decomposing 
the parsing register into a plurality of delta 
value and XOR datum bit pairs, 

3.1.9.6.3) means for forming an amorphous bit 
by using the output of the XOR means ap- 
plied with an XOR datum bit received from 
the parsing register and a key table bit se- 
lected by the selection register, 

3.1.9.6.3) means for advancing the selection 
register by adding to it a delta value re- 
ceived from the parsing register assuming 
that arithmetic is such that an overflow 
wraps to the start address in the key table 

3.1.9.7) means for storing the amorphous bit in 
the collection register, 

wherein a random value is contained in the col- 
lection register once enough amorphous bits 
are generated; 
wherein random values are successively gener- 
ated by a fixed number of amorphous bit for- 
mation operations. 
27. The keystream generator according to claim 25 
wherein the 3.3) unpacker means comprises: 

3.3.1) a bit address register, used in forming an 
unpacking stream and a plurality of creature bits; 

3.3.2) unpacking streamer means for forming the 
unpacking stream by successively incrementing 
the bit address register and outputting the depen- 
dency table bits selected, wherein cyclical ad- 
dressing is employed; 

3.3.3) an insertible shift register, being a general- 
ized shift register with the capacity to insert a bit 
value at a given address by first shifting the bits 
at and beyond the insert point to make room for 
the bit value to be inserted; 

3.3.4) an insert list, being a plurality of registers 
used to hold addresses selecting bits within the 
insertible shift register; 

3.3.5) a dispersed descriptor, being another plural- 
ity of register pairs for holding skipper and xor 
datum bit pairs; 

3.3.6) a dispersed count register for holding the 
number of valid skipper and xor datum bit pair; 

3.3.7) a current pair register for selecting some pair 
in the dispersed descriptor, 

3.3.8) an unpacking controller means for succes- 
sively transforming each packed function index 
into a function index, the unpacking controller 
means including 

3.3.8.1) means for loading the bit address register 
with the global dependency index, 

3.3.8.2) means for loading the insertible shift 
register with a packed function index, 

3.3.8.3) means for decomposing the packed func- 
tion index into an insert list index composed of 
a plurality of position addresses used to fill the 
insert list, 

3.3.8.4) means for decomposing the packed func- 
tion index into an unpacking index used to fill 
the dispersed count register; 

3.3.8.5) means for resetting the current pair regis- 
ter so it points to a first pair in dispersed de- 
scriptor; 
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3.3.8.6) means for forming skipper and xor datum 
bit pairs from consecutive unpacking stream 
bits with the pairs of number according to the 
dispersed count register stored in the dispersed 
descriptor, 5 

3.3.8.7) means for forming a plurality of creature 
bits of same number as position addresses with 
a dispersed emission process, the means in- 
cluding 

3.3.8 7.1) means for fetching the dependency 10 
table bit selected by the bit address register 
which is XORed with the current xor datum 
bit selected by the current pair register to 
form a creature bit, 

3.3.8.7.2) means for advancing the bit address 15 
register by adding to it the value of the 
current skipper selected by the current pair 
register assuming that arithmetic is such that 
an overflow wraps to the start address in the 
dependency table, 20 

3.3.8.7.3) means for advancing the current pair 
register by incrementing it once subject to 
bounding by the contents of the dispersed 
count register so that it addresses a valid 
pair in the dispersed descriptor; and 25 

3.3.8.8) means for successively inserting each 
creature bit into the insertible shift register at 
the location selected by consecutive position 
addresses of the insert list; 

wherein the residual bit address is used to form 30 
successive function indexes for a given tran- 
sition stage; and 

wherein upon creature bit insertion the insert- 
ible shift register contains the function in- 
dex. 35 

28. The keystream generator according to claim 25 
wherein the 3.4) evaluator means comprises: 

3.4.1) means for decomposing a function index into 
the various fields of (i) an order index, (U) a de- 
pendency index, (iii) an operand 1 index, (iv) an 40 
operand 2 index, (v) an operand 3 index, (vi) an 
operation 1 index, and (vii) an operation 2 index; 

3.4.2) operand maker means for transforming the 
three operand indexes into three operands; 

3.4.3) logical operation means responsive to the 45 
operand 1 index for selecting a combining opera- 
tion from a plurality of functions comprised of 
AND and OR and XOR and NOT, therein to 
combine two operands into a third; 

3.4.4) arithmetic operation responsive to the oper- 50 
and 2 index for selecting a combining operation 
from a plurality of functions comprised of ADD 
and SUB and MUL and DIV, therein to combine 
two operands into a third; 

3.4.5) ordering means responsive to the order index 55 
for selecting an order of the logical operation 
and the arithmetic operation, wherein a first 
operation is performed upon first and second 
operands followed by performing a second oper- 
ation upon the third operand and a result from 60 
the first operation; 

wherein the operand resulting from the second 
operation is defined as the function value. 

29. The keystream generator according to claim 28 
wherein the 3.4.2) operand maker means comprises: 65 

3.4.2.1) operand streamer means responsive to 
the dependency index for selecting a bit in the 
dependency table with the selected bit and 



those bits immediately following, therein 
forming an operand stream from the depen- 
dency table using the dependency index to the 
select the starting bit; 
3.4.12) a dispersed descriptor, being a plurality 
of register pairs for holding skipper and xor 
datum bit pairs; 

3.4.2.3) a dispersed count register for holding the 
number of valid skipper and xor datum bit 
pair, 

3.4.2.4) a current pair register for selecting some 
pair in the dispersed descriptor; 

3.4.2.5) an emission pointer register for selecting 
a bit in the garbage index; 

3.4.2.6) an operand register, being a shift register 
used to form an operand by concatenating 
emission bits; 

3.4.2.7) an operand controller means for succes- 
sively transforming each operand index into 
an operand, the operand controller means 
including 

3.4.2.7.1) means for decomposing an operand 
index into an extraction index used to fill the 
dispersed count register, and a source index 
used to initialize the emission pointer regis- 
ter; 

3.4.2.7.2) means for resetting the current pair 
register so it points to the first pair; 

3.4.2.7.3) means for forming skipper and xor 
datum bit pairs from consecutive operand 
stream bits with the pairs of number accord- 
ing to the dispersed count register stored in 
the dispersed descriptor; 

3.4.2.7.4) means for forming an emission bit 
including 

3.4.2.7.4.1) means for fetching the garbage 
index bit selected by the emission pointer 
register which is XORed with the current 
xor datum bit selected by the current pair 
register to form an emission bit, 

3.4.2.7.4.2) means for advancing the emission 
pointer register by adding to it the value of 
the current skipper selected by the current 
pair register assuming that arithmetic is such 
that an overflow wraps to the start address 
in the garbage index, and 

3.4.2.7.4.3) means for advancing the current 
pair register by incrementing it once subject 
to bounding by the contents of the dispersed 
count register so that it addresses a valid 
pair in the dispersed descriptor, 

3.4.2.7.5) means for storing the emission bit in 
the operand register; 

wherein an operand is contained in the oper- 
and register once enough emission bits are 
generated; 

wherein the three operands are successively 
generated using the operand stream continu- 
ously. 

30. A state machine for generating an extended- 
length cryptographic key by non-linear processes, the 
machine comprising: 

1) a state transition means for transforming a state vari- 
able into an keystream fragment and a next state vari- 
able in accordance with a directive called a machine 
index, the state transition means including 
1.1) a dependency formation means for generating a 
plurality of random bits from the machine index 
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and state variable, the dependency bits serving as 
dependent parameters for subsequent operations; 

1.2) a garbage index formation means for deriving 
from the machine index, state variable, and depen- 
dency bits a garbage index; 5 

1.3) a parsing means for decomposing the garbage 
index into a plurality of fields which provide for a 
transition function and an output function; 

1.4) a field expansion means for exploding certain 
fields; 10 

1.5) evaluation means, interpreting the fields of the 
transition and output functions as directives, for 
forming operands and selectively performing oper- 
ations thereon, the selected operations on the 
formed operands producing intermediary results IS 
which are used as operands for additional opera- 
tions to be selected with additional fields, this eval- 
uation process terminating after a predetermined 
number of levels into a final result; 

20 



wherein a state transition permits the process to con- 
tinue; 

wherein a plurality of keystream fragments result; 
wherein a concatenation of successive keystream 
fragments is defined as the keystream. 

31. The machine according to claim 30 wherein the 

1.1) dependency formation means comprises: 

1.1.1) a dispersed amorphous process using the 
output of congruential multiplier random gener- 
ators as input 

32. The machine according to claim 30 wherein the 

1.2) garbage index formation means comprises: 
1.2.1) a streaming CEM. 

33. The machine according to claim 30 wherein the 
field expansion means operates to explode certain fields 
by injecting dependency bits into the fields at points 
selected by a dispersed emission stream of dependency 
bits. 
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